Professional Reporting & Career Growth
Writing Effective Bug Reports
3 min read
A good report can double your bounty. A bad report can get a critical bug marked as informational. Your report is your product—invest in it.
Report Quality Impact
| Report Quality | Triage Time | Bounty Impact |
|---|---|---|
| Excellent | < 24 hours | +20-50% bonus |
| Good | 2-3 days | Standard payout |
| Poor | 1-2 weeks | Reduced/rejected |
| Incomplete | Closed | $0 |
Essential Report Components
1. Title
# Good Titles
- "IDOR in /api/users/{id}/documents allows accessing any user's files"
- "Stored XSS in comment field leads to session hijacking"
- "SQL injection in search parameter enables database extraction"
# Bad Titles
- "Bug found"
- "Security issue"
- "XSS"
2. Summary
One paragraph explaining:
- What the vulnerability is
- Where it exists
- What an attacker can achieve
## Summary
A Broken Object Level Authorization (BOLA) vulnerability exists in the
document retrieval endpoint `/api/v2/users/{user_id}/documents/{doc_id}`.
By modifying the `user_id` parameter, an authenticated attacker can
download any user's private documents, including sensitive financial
records and personal identification documents.
3. Severity Assessment
Use CVSS or platform-specific ratings:
## Severity: High (CVSS 8.6)
**Attack Vector**: Network
**Attack Complexity**: Low
**Privileges Required**: Low (authenticated user)
**User Interaction**: None
**Impact**: High confidentiality breach
Justification: Any authenticated user can access all other users'
private documents with a simple parameter change.
4. Steps to Reproduce
Crystal clear, numbered steps anyone can follow:
## Steps to Reproduce
1. Create two accounts: attacker@test.com and victim@test.com
2. Login as victim, upload a document at /documents
3. Note the document ID in the URL: `/documents/12345`
4. Login as attacker
5. Navigate to: `/api/v2/users/VICTIM_USER_ID/documents/12345`
6. Document downloads despite belonging to victim
**Victim User ID**: 67890 (can be enumerated via /api/users endpoint)
**Document ID**: 12345
5. Proof of Concept
Show, don't just tell:
## Proof of Concept
### HTTP Request
GET /api/v2/users/67890/documents/12345 HTTP/2 Host: api.example.com Authorization: Bearer eyJhbG... (attacker's token)
### Response (victim's document)
HTTP/2 200 OK Content-Type: application/pdf Content-Disposition: attachment; filename="victim_tax_return.pdf"
%PDF-1.4...
### Video PoC
[Link to screen recording showing full exploitation]
6. Impact Statement
Translate technical bug to business risk:
## Impact
**Confidentiality**: Complete breach of user document privacy
**Affected Users**: All 2.3M users with uploaded documents
**Data at Risk**:
- Financial documents (tax returns, bank statements)
- Identity documents (passports, driver's licenses)
- Medical records
**Attack Scenario**:
A malicious user could enumerate all user IDs and document IDs to
systematically download every private document on the platform,
potentially leading to identity theft, financial fraud, and
regulatory violations (GDPR, HIPAA).
7. Remediation Suggestions
Help them fix it:
## Suggested Fix
1. Implement server-side authorization check:
```python
def get_document(user_id, doc_id, current_user):
if user_id != current_user.id:
raise ForbiddenError("Cannot access other users' documents")
return Document.query.get(doc_id)
- Use indirect references (UUIDs tied to session)
- Add logging for cross-user access attempts
## Complete Report Template
```markdown
# [Vulnerability Type] in [Location] allows [Impact]
## Summary
[1-2 sentences describing the vulnerability and its impact]
## Severity
[Rating with justification]
## Affected Endpoint/Component
- URL:
- Parameter:
- Method:
## Steps to Reproduce
1.
2.
3.
## Proof of Concept
[Request/response, screenshot, or video]
## Impact
[Business impact and affected users]
## Suggested Remediation
[How to fix]
## Supporting Materials
- [ ] Screenshot
- [ ] Video PoC
- [ ] HTTP request/response logs
Common Mistakes
| Mistake | Fix |
|---|---|
| No PoC | Always include reproducible proof |
| Vague steps | Be specific, include URLs and payloads |
| Missing impact | Explain business consequences |
| Assumptions | Don't assume they know your setup |
| No remediation | Suggest fixes when possible |
Report Enhancements
Screenshots
- Annotate with arrows and highlights
- Show before/after states
- Include timestamps
Video PoCs
- Keep under 2 minutes
- Narrate or add captions
- Show the full attack chain
Request Logs
- Use Burp Suite export
- Redact unnecessary data
- Highlight key parameters
Pro Tip: Before submitting, ask yourself: "Could someone who's never seen this application reproduce this bug from my report alone?" If not, add more detail.
Next, we'll cover communicating effectively with security teams. :::