Skip to content

Instantly share code, notes, and snippets.

@jobertabma

jobertabma/report-title-tips.md

Created June 11, 2017 22:25
Show Gist options
  • Save jobertabma/d8cf393fc76c4db7d9ccbb13d2eab3b9 to your computer and use it in GitHub Desktop.
Save jobertabma/d8cf393fc76c4db7d9ccbb13d2eab3b9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
report-title-tips.md
  • Practice to exclude vulnerability type(s)
    • Why: this makes it easier for the receiver to identify the root cause of the vulnerability and duplicates faster. When there are multiple vulnerabilities, and there's no chain, consider them being separate reports. Expect that your reports will be escalated to people that have never heard security lingo like XSS. Help them understand the vulnerability and give remediation advice where possible.
    • Good title: Lack of input sanitization in name parameter on https://register.example.com/new leads to execution of JavaScript in user session.
    • OK title: Reflected XSS in name parameter on https://register.example.com/new
    • Poor title: XSS
  • Mention the affected asset
    • Why: different people or teams are often responsible for different assets. Decrease triage overhead by mentioning the asset, such as a domain name, mobile app, device, version number, or URL, in the title so it's easier to assign it to someone with more knowledge about it.
    • Good title: OAuth secrets leaked in decompiled Example, Inc. Android app
    • Poor title: Secrets leaked in app
  • Avoid dramatization
    • Why: stick to the facts and stay objective. Make a clear case in the vulnerability report (not the title) why you believe it's a severe vulnerability. This also avoids bad surprises when it comes to the bounty payout.
    • Good title: Improper escaping in id parameter on blog.example.com/home leads to execution of SQL commands
    • OK title: Time-based SQL injection in id parameter on blog.example.com/home
    • Bad title: URGENT: VERY CRITICAL AND COMPANY ENDING SQLI
  • Incorporate the vulnerability cause, not just the effect
    • Why: understanding the vulnerability cause is key to remediation and setting the correct severity. Help the receiving party to determine where to fix what instead of pointing out the effects of it. Often, there are also effects that you can't oversee. Stick to the cause, not just the effect.
    • Good title: Lack of entropy requirements of user's password on example.com
    • Bad title: Setting password with single character
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment