Avoid rookie mistakes and progress positively in bug bounty

Kunal pandey
Jan 4, 2019 · 5 min read

Hello Everyone

Hope everyone is having an awesome holiday and wishing everyone Happy New year 2019.

I will try to summarize all the Rookie mistakes which most of the people commit and got N/A, so people can avoid and progress further.

You can also check out https://medium.com/@d0nut/5-tips-bug-bounty-programs-want-you-to-know-about-544d29888aeb where Donut explained really well about process and tips.

Note: I will cover up rookie mistakes including my experiences as well.

I am going to explain each aspect one by one

1) Writing reports

Although report writing differs from person to person however if you don’t explain correctly in a proper format, then security Triager will have difficulty to understand the report.

So You can always follow the proper format in terms of report writing:

Title( It should be catchy and also related to that bug)


Step To Reproduce (Cover up from steps upto Coding part explanation as well)

Proof Of concept ( Attached Screenshots or Video)



O/S and Browser ( Need in special reports, not all the time)

If you follow good report Format styling, you can always project your security bugs and convey it to the Team members in the easiest way as possible.

2) Being Patient

Although, this sound very ignorable but if you try to write comments on your reports frequently about report status, then Team member will face difficulties in following up and working with reports. Everyone needs to realize that Team members have hundreds of reports to work with or more than that.

Some issues are so critical that it can take more than 6 months to resolve from the backend and developers are continuously working every day.

So, give some time and knock once if you think Team members are not responding at all. You can try email support service if you think no one is responding over a period of time.

3) Analyze your security bugs ( over and over again)

If you think that you got a security bug, don’t rush with excitement and submit directly, analyze over and over again.


Let me give you an example:

Security Bug — Deleted files can still be fetched using API endpoints or any other endpoints.

Most of the people will be in hurry to submit but turns out that report will be closed as N/A.

What’s the reason?

Apparently, most of the time server has their own maintenance time in which people can fetch the deleted file within 15- 45 mins, but after one hour, files will be permanently got deleted from the server and by the time you’ll submit the report, you’ll be frustrated that I can’t fetch the deleted file at all and suffered an N/A.

So Time factor always count when you try to fetch deleted files.

Never rush with excitement to submit, analyze your bug first from every aspect and then submit.

4) Think Like a Team member

This one has helped me in terms of bug bounty. Whenever I get any bug, I try to question myself in terms of the team member’s perspective,

“ where you can execute this bug? How it’s different from that report? Have you gone through our Documentation? Please read the policy first and check out the excluded scope.”

If you always think like this way, I can assure you that 70–80% of N/A reports will not be happening at all from your side.

5) Great Interaction level and ask for feedback as well.

When you went wrong, then you can always ask feedback and explanation from Team member, believe it or not, but it really helped me to progress more.

Also, If you have great interaction level where you can understand each other’s perspective, then that report will set an example of good quality reports where people can learn as well.

6) Some exclusion Bug mistakes and don’t practice

CSRF without session attached area- Any help site where “was this article helpful?”

Shopping sites where an item can be added in a cart without using session and can be actively added.

Shopping sites review item’s comment area vote section up and down where despite using any session , you can create CSRF request to add a vote.

These type of CSRF are not accepted by any company and you can have report status either duplicate, informative or N/A.

Here is the link :- https://www.geekboy.ninja/blog/cross-site-scripting-for-fun-pastejacking/.

There are more exclusion bugs to discuss but I think you can get a glimpse of exclusion bugs and when to report and when not to.

Lastly, there are many other aspects which you can progress further, but I think most importantly, before progressing in more depth, we need to practice in basic methodology and style in terms of reports and bugs.

My experience

I just learned all these points over a period of time and considering these points when I find bugs now. I am just having one year experience since I started from January 2018 and I think people can progress with bug bounty and increase their knowledge if they focus on small things as well.

To every newcomer, focus on these small things and you can progress further, no need to rush anything, take your time, slowly learn, consider every points and progress.

If anyone wants to add anything, feel free to comment down below.


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store