Writing Good Bug Bounty Reports

Mon, 8 Jul 2019 21:18:00 GMT
by pdp

This is what I do to write successful bug bounty reports that payout. I used this technique on 3 hidden bug bounty programs. One of them gave me a 2K bounty. For the other two, I don't know. #bugbountytips

  1. Your introduction is like the first chapter of a book. This is your opportunity to show style and creativity. If this part of the report is weak the rest of the content is likely to be skimmed over.

  2. Don't just slam some technical description and call it a day. Layout exactly how you found the vulnerability. It is like a good story. What tipped you to look in this direction? How long did it take you to get there? What obstacles you had to overcome and how you came on top against all odds?

  3. Don't overstate the impact. I am guilty of this as well. Sometimes things are not as critical as they look but you could provide a measured assessment that will tip the scale your way. It is better to be truthful than annoying.

  4. Rember that it is much easier to make a good first impression than to change the other person's mind. The later comes at personal cost. They have to admit they were wrong. You are not going to make friends this way.

  5. Ask for feedback. I started doing this on my most recent reports. There is no other way to know what you did wrong and how you can improve.

  6. Always provide value. This morning I reported an issue I was almost sure it will be a dup. The potential reward was 5 digits. I wrote them a nice bug report. It was a dup but my report still rocks.

My most recent reports are like chapters of a book (only 3 of them so far). When I wrote them I was thinking that perhaps one day I will bind them all and create an international bestseller.

This is also time for self-reflection. You might learn a thing or two about your style or perhaps figure out if it is time to change strategy and direction.

Remember that there are people on the other side of the computer screen. Communication is an essential skill.

Btw, I messed up on almost all points above forgetting my years of training. The final report was the most important deliverable at the company where I and @dcuthbert used to work. We used to spend a lot of time to make sure everything was perfect before we hand over.

https://twitter.com/pdp/status/1148325597690703872