However, some teams are triaging hundreds of reports a day - can you imagine how much time it would take them to watch that many videos? You know what sucks? Bonus points if you include screenshots highlighting the reproduction steps - this makes it even easier to reproduce the issue. HackerOne provides a long list of submitted bug reports which can serve as examples of how bug reports look. Congratulations to these 5 contest winners Most reputation points from submissions to our program. In almost 10 years, the program has received more than 130,000 reports including 6,900 that received a payout—$11.7 million in total. Before we hop into what makes a good report, we need to cover our bases. Check the program’s rules page to see if they have an SLA (service-level agreement) or best effort time to response. This can work for you or against you. We use cookies to collect information to help us personalize your experience and improve the functionality and performance of our site. Reports that include a basic proof of concept instead of a working exploit are eligible to receive … Highly vetted, specialized researchers with best-in-class VPN. The State of Bug Bounty The biggest difference between an unknown vulnerability and a known vulnerability, is the ability to take action on it. Here are some quick tips to better understand programs you’d like to submit bugs to: This is probably the most important thing to figure out before you do anything! Here are some quick tips to better understand programs you’d like to submit bugs to: However, keep in mind that each of these security teams need to share your report internally and probably convince other developers to spend time fixing the issue you’ve helpfully uncovered. It might be obvious to you what the impact is, and in some cases, it might even be obvious to them! These tips can help you achieve... Not all bug bounty programs are born equal. Bugcrowd says that bounty hunters had reported the issue on the platform before it was announced. The final piece to bug reporting is communication. HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. If so, let us know by emailing us at! The following sections on how to construct your reports will help you proactively avoid situations like this. //