How to write bug bounty report

Hi! Bug hunters, thanks for appreciating my previous article, I know there are many write-ups about “how to write a good bug report” but one thing I notice that’s all are intermediate and advance level and it is very difficult to understand for a beginner. In this write-up, we will focus only to write a good and potential report in order to submit in bug bounty programs.

Image for post
Image for post

Before we start, let’s know about the components of a report, any report contains Title, Description, Reproduce steps, Proof-of-concept, exploit code, recommended solution, and References. in order to submit bug bounty report each component has different roles. Writing all component in every report is not a good practice its all depend on the scenario and nature of vulnerability.

Writing a good report is very difficult, When I started, I spend 1–2 hours to write one report. after submitting 100+ bug reports on different platforms. I understood what is the main components of the report and how it helps the security engineers to spot the vulnerability. I’m going to describe each one by one. let’s start…

Title

The first impression is the last impression, the security engineer looks the Title first and he can understand what is the issue? Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line.

Description

This component provides details of the vulnerability, you can explain the vulnerability here, write about the paths, endpoints, error messages you got while testing. You can also attach HTTP requests, vulnerable source code.

Steps to reproduce

You must write each step clearly in-order to demonstrate the issue. that helps security engineers to triage fast.

Proof of concept

This component is the visual of the whole work. You can record a demonstration video or attach screenshots.

Impact

Write about the real-life impact, How an attacker can take advantage if he successfully exploits the vulnerability. What type of possible damages could be done? (avoid writing about the theoretical impact)

Optional Components

Exploit code

If you are familiar with any scripting languages then In order to automate the whole process, you can write one script

Recommended solution

You can suggest the company to implement any kind of functionality or prevention method to mitigate the issue.

Sample Report

Image for post
Image for post

You can find more sample reports here Bug-report

Conclusion

The good report plays a key role in bug bounty, sometimes the company appreciates your reports and award you some bonus, sometimes they pay a small bounty for a similar report. It depends on the quality of the report.

Security Researcher | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store