.png)
1 year ago
110 BOOK THIS SPACE FOR AD
ARTICLE ADTL;DR- Today, we’ll take a look at some steps and examples of phenomenal bug hunting write-ups that allow pen-testers to obtain an even higher payout.
Introduction
It goes without saying that reporting your bug is an essential aspect of bug hunting, and is required to receive a bounty on most platforms. However, an alarming percentage of pen-testers aren’t aware that by improving the quality of their reports, they can actually get significantly higher bounties and build better relationships with the security team. Don’t take it from me though, HackerOne said it themselves →
“Better bug reports = better relationships = better bounties”
Step 1. Find A Bug
Before you even get started writing your report, spend a good chunk of time (~2hrs for anything above a P3 level bug) verifying the bug yourself. You’ll want to make absolutely sure that this bug is something you can build a valid, rewardable report off of. Plus, if this is a fairly low level bug that may be able to chain with other vulnerabilities, attempt to locate additional attack vectors to potentially multiply your bounty.
However, don’t go so far as to illegally hack into the website, and make sure to review the scope of the bug hunting campaign.
Step 2. Create Your Report
Once you’ve verified a bug and you’re content with the severity level, the hard part is pretty much done. Now, you have two options.
1. Report the bug like this →
Hello. I hacked you.The bug is reflected XSS.
Send the bounty to ${insert paypal email here}.
2. Or, report the bug like this →
## Title:[Title of bug, i.e. “[bug type] on [domain] leading to [list possible consequences]]
## Summary:
[add summary of the vulnerability, what can it do to harm the company/website/app?]
## Steps To Reproduce:
[add details for how others can reproduce the issue. The better you do this, the sooner you can possibly get a reward & it shows professionalism]
1. [add step]
2. [add step]
3. [add step]
## Supporting Material/References:
[list any additional material (e.g. screenshots, logs, Burpsuite request/responses, etc.)]
* [attachment / reference]
##IP Address:
[IP Address for identifying your traffic]
##Timestamp:
[Date and time of testing]
The second is far more appealing to someone who might verify your bug, as you’ve given detailed information about the entire process. The easier they can comprehend your report and validate your analysis, the faster you’ll get that increased bounty. If you’d like to learn more about the ‘nitty gritty’ aspects of writing the perfect report, check out this article →
Step 3. Submit The Bug Report
After you’ve finally verified your bug and written your bug report, check over it one last time to make sure it’s in accordance with the companies security policies and you’ve followed their instructions (if any were provided). Then, submit the report and you’re done. Almost.
Until that bounty is in your posession, you don’t actually have the reward. Even if you got a $10,000 P1 critical-level bug with devastating exploit potential, if the company can’t reach you, you might not get your payout. It’s important to maintain correspondence with the company whenever possible, especially if they respond to your submission and request more information.
Overall
Hopefully you’ve acquired a stronger understanding of what it takes to get the maximum bounty out of your bug hunting skills. Here are some great sample reports if you’re looking to see exemplars →
Read HackerOne’s official post here →
Thanks for reading about getting the most out of your bug bounty reports! If you’d like to learn more about bug hunting and web app pen-testing, check out The Gray Area!
If you’d really like to support me and help me create more content, subscribe to a Medium membership using my referral link →
Thanks!
Bengali (Bangladesh) · 
English (United States) ·