Bug Reporting Guide

Writing Effective Bug Reports

The quality of your bug report directly impacts how quickly it gets triaged, fixed, and rewarded. A well-written report helps the program team understand the issue efficiently and accurately assess its severity.

Key Elements of Successful Reports

Clarity: Communicate the issue in simple, precise language
Completeness: Include all information needed to understand and reproduce the issue
Conciseness: Be thorough but avoid unnecessary details
Reproducibility: Provide clear steps that consistently demonstrate the vulnerability
Impact Assessment: Explain the real-world consequences of the vulnerability

Success Tip: Research has shown that bug reports with clear reproduction steps and impact descriptions are 3x more likely to be rewarded quickly and at the higher end of the bounty range.

Report Structure

A well-structured report makes it easy for program teams to understand and validate your findings. Here's an effective template:

Title

Create a clear, specific title that summarizes the issue:

"[Vulnerability Type] in [Affected Component/Feature]"

Examples:

"Stored XSS in User Profile Comments"
"IDOR Allows Access to Other Users' Payment Information"
"Authentication Bypass in Password Reset Functionality"

Description

Provide a concise overview of the vulnerability:

"I discovered a [vulnerability type] in [specific location]. This vulnerability allows an attacker to [describe what an attacker could do] by [brief description of the attack method]."

Steps to Reproduce

List the exact steps to replicate the issue:

Log in to the application at [URL]
Navigate to [specific page/feature]
Perform [specific action] with [specific input/parameter]
Observe [the vulnerability manifestation]

Impact

Explain the real-world consequences:

"This vulnerability allows an attacker to [specific outcome]. The business impact includes [describe how this affects users, data, or the business]. This could lead to [potential worst-case scenario]."

Proof of Concept (PoC)

Provide evidence demonstrating the vulnerability:

Screenshots/videos showing the exploitation
Sample code or commands used
Network request/response pairs

Remediation

Suggest potential fixes (optional but appreciated):

"This issue could be remediated by [specific fix suggestion]. Additionally, I recommend [broader security control or practice]."

Severity Ratings

Suggesting an appropriate severity helps program teams prioritize and value your report. Bugbop uses the following severity levels:

Severity	Criteria	Examples
Critical	High impact, easy exploitability, no mitigating factors	Remote code execution, full system compromise, significant data breach
High	Significant impact, straightforward exploitation	Authentication bypass, stored XSS with sensitive context, direct access to sensitive data
Medium	Moderate impact, may require specific conditions	Reflected XSS, CSRF affecting important functions, limited information disclosure
Low	Minor impact, difficult exploitation, significant mitigations in place	Self-XSS, low-risk information leakage, issues requiring unlikely user interaction

Pro Tip: Be honest in your severity assessment. Inflating severity can damage your credibility, while accurately assessing impact demonstrates your expertise and professionalism.

Creating Effective Proof of Concepts

A good proof of concept (PoC) demonstrates the vulnerability clearly while following program rules and ethical guidelines.

Guidelines for PoCs

Minimize impact: Demonstrate the vulnerability with minimal disruption to systems and users
Use test accounts: When possible, create demo accounts rather than affecting real users
Document clearly: Add annotations to screenshots or videos explaining what's happening
Limit data access: If you discover a data leak, view only enough data to prove the vulnerability exists
Follow responsible disclosure: Never share your findings publicly before the program team has fixed the issue

Effective PoC Formats

Screenshots: Best for simple UI issues or visible results of exploitation
Videos: Ideal for complex sequences of actions or dynamic issues
HTTP Request/Response: For API vulnerabilities or network-level issues
Code snippets: For demonstrating payloads or exploitation scripts
Network capture files: For complex multi-step network interactions

Common Issues to Avoid

Learn from frequent mistakes that can result in report rejection or reduced bounties:

Common Mistake	Better Approach
Submitting duplicate reports without checking existing reports	Search for similar reports before submitting; if unsure, emphasize unique aspects of your finding
Reporting issues clearly listed as out-of-scope	Carefully read the program policy; if you think an exception is warranted, explain why this particular finding might deserve reconsideration
Submitting low-quality reports with insufficient detail	Review your report before submission; ensure it includes all elements in the recommended structure
Overestimating severity without justification	Base severity on actual impact, not theoretical scenarios; provide concrete evidence for your assessment
Poor communication or unprofessional responses	Maintain respectful, constructive communication; respond to questions promptly and thoroughly

Understanding Bounty Rewards

Bounties are typically determined by several factors beyond just technical severity:

Factors That Influence Bounty Amounts

Technical Severity: The potential impact and exploitability of the issue
Business Impact: How the vulnerability affects the organization's operations or reputation
Report Quality: The clarity, completeness, and professionalism of your submission
Creativity/Novelty: New vulnerability types or innovative exploit techniques
Affected Assets: Vulnerabilities in critical systems may receive higher rewards

Typical Reward Ranges

While amounts vary by program, here are typical ranges you might encounter:

Critical: $1,000 - $10,000+
High: $500 - $3,000
Medium: $100 - $500
Low: $50 - $150

Pro Tip: Many programs offer bonuses for exceptional reports. These can include clear remediation advice, well-documented root cause analysis, or creative exploit chains.

Tools & Resources

Equip yourself with the right tools and knowledge to find impactful vulnerabilities:

Essential Tools

Proxy Tools: Burp Suite, OWASP ZAP
Reconnaissance: HTTProbe, Subfinder, Waybackurls
Vulnerability Scanners: Nuclei, SQLmap
Browser Extensions: Burp Proxy Extension, FoxyProxy
Documentation: Report Templates, OBS Studio (for screen recording)

Learning Resources

OWASP: OWASP Top 10, Web Security Testing Guide
Practice Platforms: Hack The Box, PortSwigger Web Security Academy
Books: "The Web Application Hacker's Handbook", "Real-World Bug Hunting"
Blogs: PortSwigger Research, HackerOne Hacktivity
YouTube Channels: Bug Bounty Reports Explained, STÖK

Final Tip: The most successful bug hunters continually learn and adapt their skills. Stay current with security news, follow other researchers' disclosures, and practice regularly to sharpen your vulnerability hunting abilities.