How to write bug bounty report
Hi! Bug hunters, thanks for appreciating my previous article, I know there are many write-ups about “how to write a good bug report” but one thing I notice that’s all are intermediate and advance level and it is very difficult to understand for a beginner. In this write-up, we will focus only to write a good and potential report in order to submit in bug bounty programs.
Before we start, let’s know about the components of a report, any report contains Title, Description, Reproduce steps, Proof-of-concept, exploit code, recommended solution, and References. in order to submit bug bounty report each component has different roles. Writing all component in every report is not a good practice its all depend on the scenario and nature of vulnerability.
Writing a good report is very difficult, When I started, I spend 1–2 hours to write one report. after submitting 100+ bug reports on different platforms. I understood what is the main components of the report and how it helps the security engineers to spot the vulnerability. I’m going to describe each one by one. let’s start…
Title
The first impression is the last impression, the security engineer looks the Title first and he can understand what is the issue? Write about what kind of functionality you can able to abuse or what kind of protection you can bypass. Write in just one line.
Description
This component provides details of the vulnerability, you can explain the vulnerability here, write about the paths, endpoints, error messages you got while testing. You can also attach HTTP requests, vulnerable source code.
Steps to reproduce
You must write each step clearly in-order to demonstrate the issue. that helps security engineers to triage fast.
Proof of concept
This component is the visual of the whole work. You can record a demonstration video or attach screenshots.
Impact
Write about the real-life impact, How an attacker can take advantage if he successfully exploits the vulnerability. What type of possible damages could be done? (avoid writing about the theoretical impact)
Optional Components
Exploit code
If you are familiar with any scripting languages then In order to automate the whole process, you can write one script
Recommended solution
You can suggest the company to implement any kind of functionality or prevention method to mitigate the issue.
Sample Report
You can find more sample reports here
Conclusion
Writing a bug bounty report can indeed be challenging, especially for beginners who are not familiar with the process. However, with some guidance and practice, you can develop the skills necessary to write effective bug bounty reports.
Remember that bug bounty programs appreciate well-documented and informative reports. Even if you’re a beginner, your effort to report vulnerabilities responsibly is valued. Good luck with your bug bounty reports!
