Bug Reporting for Bug Bounties
Wait, I know you are excited that you just found a bug. Don’t gloss over one of the most important steps in the bug bounty process — the bug report.
Bug reports are the main way of communicating a vulnerability to a bug bounty program. Programs will pitch out rewards for valid bugs and it is the hacker’s job to detail out the most important information. This information includes how to reproduce the bug as well as how critical the bug is to the security of the company. With the report the security team for the program can identify what needs their attention most and award bounties appropriately.
Don’t Forget the Scope
Before we hop into what makes a good report, we need to cover our bases. Each bug bounty program has a program description that outlines the scope and requirements in the program. We need to make sure the that the bug found
- Is within the program scope
- Is not on the list of excluded vulnerabilities
Both of these determine what a bug is worth to the company. Remember submitting bugs outside of scope hurts your hacker score and waste the time of the security team.
One thing to keep in mind is that if you have found a low severity bug dig deeper to see if it opens the door for a more critical bug.
Okay now that you have verified that your bug is indeed in scope, we need to start the report. What goes into a bug report?
How severe is the bug?
The first part of the report should act as a summary of the attack as a whole. The type of vulnerability found should be noted as well as where it was found. Determine the severity of the vulnerability. What kind of data was accessed? Do you need special privileges to execute the attack? If you aren’t sure what the severity of the bug is then that is okay. However, you will be leaving the decision up to the security team. This can work for you or against you. They could find that the bug you found accesses a lot more than you realized or they may see it a bug that isn’t as critical.
Reproducing the Bug
Next, write out how to reproduce your bug. Think of questions like what subdomain does it appear in? What steps did you take to find the bug? This doesn’t mean to write a ten page report with pictures showing every single click you made. Instead, write only the steps necessary to reproduce the bug. The goal is to help the company by keeping the report concise and easy to follow. If it happens to be a complicated attack then use an accompanying video to walk through the steps. With these together you will have the best chance of the security team reproducing the bug.
The proof of concept of the report will demonstrate the lengths that must be gone to execute the attack.
HackerOne provides a long list of submitted bug reports which can serve as examples of how bug reports look. Navigate to the hacktivity page and look for disclosures — these will be the ones with information revealed. These will show the bug report as well as continued communication between the company and the researcher. Use these to shape your own bug reports into a format that works for you.
Use a Template
Another way to hit all the right points in your report is to use the template provided by HackerOne.
The final piece to bug reporting is communication. Both the researcher and security team must work together to resolve the bug. There are already rules in place for what not to do when interacting with security teams. Things like using the threat of releasing a newly found bug to raise the bounty. On both ends respect must be shown. From a researchers side keep in mind that a company bug bounty program can get crowded with submissions. Be patient when waiting to hear responses from the company’s security team. Also, handle disputed bounties respectfully. If you believe your bug is a higher severity than what the security team believes then work to show them that with evidence. In most cases they will be willing to escalate the bug if enough evidence is provided. Following these suggestions should put you in a good spot when writing a report.
If you have other suggestions for writing a report then leave them below!