Page 186 - Hands-On Bug Hunting for Penetration Testers
P. 186
Formatting Your Report Chapter 10
Summary
This chapter discusses the finer points of writing a vulnerability report submission that we
might have glossed over in our attack chapters, explaining the critical information that
should be included in every report, optional information, the importance of including
detailed steps to reproduce the bug, how to write a good attack scenario (with examples),
where to find real-life production bug report submissions, and more. Building on the
sample submission reports we've created throughout our vulnerability walkthrough
chapters with more high-level discussion of what makes a report worth a reward, this
chapter should give you everything you need moving forward to write quality reports that
win you the maximum payout for the bugs you've discovered.
In the next chapter, we will cover tools and methodologies beyond those we used directly
in our walkthroughs.
Questions
1. What does RCE stand for?
2. What is a useful context to include about your discovery in your reports?
3. What are a few examples of data that should be in every report?
4. What is the Vulnerability Rating Taxonomy (VRT)? What about the CVSS?
5. Why is ensuring that the bug is reproducible important?
6. What distinguishes a good, well-written attack scenario from a lackluster one?
7. What are some good resources for finding examples of real life vulnerability
report submissions?
8. What kinds of file attachments are worth including in your bug report?
Further Reading
You can find out more about some of the topics we have discussed in this chapter at:
GitHub Bug Bounty FAQs: IUUQT CPVOUZ HJUIVC DPN JOEFY IUNM GBRT.
Bug submission methodology: IUUQT XXX CVHDSPXE DPN XSJUJOH
TVDDFTTGVM CVH TVCNJTTJPOT CVH CPVOUZ IVOUFS NFUIPEPMPHZ
[ 171 ]
