Page 176 - Hands-On Bug Hunting for Penetration Testers
P. 176
1 10
Formatting Your Report
Throughout this book, we've been formatting sample reports based on whatever
vulnerability we've dived into. Ideally, you've gotten a sense of what information is
important from the data points that frequently show up in those reports, but in this chapter,
we'll go into greater detail about the most important submission components. We'll cover
what increases the chance of receiving a reward, what can bump up the severity of your
award (and its payout), what information is nice-but-optional, and then what's just noise.
We'll also discuss the principles you can use to write reports with clear, easy-to-reproduce
vulnerabilities, and detailed, compelling attack scenarios that will have the internal security
team clamoring for a patch (triggering your reward).
Having a granular idea of the individual content, scenarios, and format of a great report
example can help you shape your pentesting practice. As you continue to learn, refine your
skills, and generally become a better researcher, you can adopt new tools, strategies, and
other methods that are consistent with the end goal of creating that platonic perfect report,
the one that will be instantly rewarded at the highest appropriate severity level.
The following topics will be covered in this chapter:
Reproducing the bug d how your submission is vetted
Critical information d what your report needs
Maximizing your reward d the features that pay
Example submission reports d where to look
Technical Requirements
This section will provide all the necessary report examples within the text. There's no need
for even a browser, unless you'd like to read along with some of the material in Further
reading section.
