how to write a good bug bounty report

how-to-write-a-good-bug-bounty-report.md

How to write a good bug bounty report

1. Use simple words and avoid complex phrases. Use headings for your report sections.
2. Mention if authentication is required to exploit the issue.
3. If authentication is required, elaborate on the privilege required (admin, guest etc.), if applicable
4. Provide the URL where exploit payload is consumed and the parameter/header component which is affected
5. Include HTTP request, responses for multi step bugs
6. Steps to reproduce the issue should ideally have been written from the point of a user/attacker of the system.
7. In the Steps to reproduce, avoid jumping directly to the URL/parameter being exploited. Don't do 1. Go to http://example.com/api/v1/something/23/, 2. Change 23 to -1. This will not provide context to the reader.
8. If possible mention what you think the expected output should be and what you see instead
9. Number and name your screenshots properly. For example - 1-http-request-without-tamper.png, 2-http-response-without-tamper.png, 3-http-request-with-id-param-modified.png etc.
10. State a severity for the bug, if possible, calculated using CVSS 3.1. Explain why you think the bug deserves the level of severity. Explain the impact of exploiting the bug using a real world scenario. Do not exaggerate.
11. Do not be rude or condescending in the report. Be empathetic. The person. The person reading your report possibly reads a lot of reports every day and is a human who can be tired and annoyed with other submissions.
12. Provide references to other bugs that may be similar in your opinion, blog posts or recognised documentation around what the issue is at the end of the report.