How To Craft A Professional Bug Bounty Report (Extra $$)

TL;DR- Documenting the bugs or vulnerabilities you’ve found is the last step in bug hunting, make sure to finish strong and get the maximum benefit.

Bug bounties are a great way for white-hat hackers to make some cash. You’ll have to have a pretty particular skillset, knowing a bunch of different vulnerabilities and their exploitation process.

If you’re not familiar with basic vulnerabilities for things like web app bugs, check out these posts before reading this one.

If you are familiar with the concepts in those articles, you’re ready for the third and final step in the bug bounty process.

The Final Step →

Once any vulnerabilities you found have been exploited, the last step is submitting them to the bug disclosure programs or somehow alerting the company of the bug. You’ll want to look as professional as possible in this step, and demonstrate your knowledge as best you can. If you can show you’re a seasoned bug hunter, you’re more likely to get a speedy and bounteous verification.

The Basics of a Report →

Taken directly from HackerOne, this bug report template is a good foundation.

## Title:
[Title of bug, i.e. “[bug type] on [domain] leading to [list possible consequences]]

## Summary:
[add summary of the vulnerability, what can it do to harm the company/website/app?]

## Steps To Reproduce:
[add details for how others can reproduce the issue. The better you do this, the sooner you can possibly get a reward & it shows professionalism]
1. [add step]
2. [add step]
3. [add step]

## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, Burpsuite request/responses, etc.)]
* [attachment / reference]

##IP Address:
[IP Address for identifying your traffic]

##Timestamp:
[Date and time of testing]

This is pretty good. It all depends on how you present the bug, but this outline works pretty well.

In the title you would say something like “Open Redirect on Website.com leading to PII disclosure”. This tells whoever is trying to verify the bug what type of bug it is, what site is vulnerable, and what the possible effect of the exploitation would be.

The summary bit is asking you to describe the vulnerability, so basically the definition. In this case: what is open redirect? How has it been used in the past for malicious purposes? How might one malicious hacker go about stealing or harming the company if they were to exploit this vulnerability? These questions should all be answered in your summary piece at a minimum.

In ‘Steps to Reproduce’, you’ll need to show how you discovered and could possibly exploit this vulnerability in as much detail as possible. If the verifier of your bug can’t recreate your steps, you won’t get a bounty. Be specific and it will serve you well. The easier the steps are to follow, the quicker you’ll get a response. Some possible steps:

1. Intercept URL with Burpsuite and send to repeater (show url you modified)
2. Use certain attack pattern or encoding in URL (encode to base64 then url encoding)
3. Explain the impact (now it redirects to evil.com)

Fairly simple, but make sure they’re easy to follow and detailed.

For ‘supporting material’, provide Burpsuite requests/responses, screenshots, logs, or anything else that might help distinguish your responses and show the verifier what happened in the backend. For example:

GET ${harmful open redirect stuff here}
HTTP/1.1
Host: website.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

This will provide further understanding to the verifier, which is your goal in this report.

For ‘IP address’ and ‘Timestamp’, just disclose your basic information like where you sent the requests from and the general times that you sent them in case the company needs to look through their network logs and determine further validation.

With those done, you’re sure to at least look more professional and feel better about showing off your different white-hat hacking accomplishments.

A Few Examples →

Here’s a few great examples to look at if you’re submitting a bug report:

$20K Account Takeover w/ Session Cookies

$8.5K Improper Email Authentication Process

Here’s HackerOne’s official documentation on submitting a report as well:

I hope this helped you figure out the best ways to submit bug reports, and get the most out of your hard work for it. If you learned something, give a few claps so that I know to post similar articles. To learn more about computer science and hacking, check out more posts on The Gray Area.

If you’re not already a Medium member and you’d like to access all my articles (and everyone else’s on Medium), sign up using my referral link →

Thanks!