Bug Report: How to Write a Quality Report

Writing a quality bug report is an art that every bug hunter needs to master. After all, finding a critical vulnerability is only useful if you can effectively explain and communicate the technique used for exploitation in a report that others can understand, including your mindset and the vulnerability exploited.

A well-written bug report can make all the difference in demonstrating the severity of the bug to companies, which can even increase your reward!

Want to know how to write a quality bug report? Keep reading!

What is a Bug Report?

When a bug hunter discovers a vulnerability in a Bug Bounty program, they need to write a report to share their findings.

In general, a bug report should include some essential information, such as:

• Where the bug was found (scope);
• Who it affects (company, clients, users, or the general public);
• What impact the vulnerability has on the organization;
• A step-by-step guide to reproducing the issue;
• Proof of Concept (PoC) through images or videos;
• References about the vulnerability and possible fixes.

How to Write a Bug Report?

Your report can be as detailed as you want, but it should at least contain the following information:

Title

The title of your report should describe the type of bug found, where it was found, and its overall impact. This speeds up the triage process and helps understand the context of the bug. Avoid generic titles that do not give any clues about the vulnerability found.

For example, generic titles like “The system crashed” do not provide any information about the vulnerability, where it was found, or how to fix it. A better title for the same issue could be:

“Vulnerability XXX in generating PDF of report Y; Registration screen Z”

Technical Severity

Depending on the technical severity of the bug, different priorities are set. A bug can have the following severities: Unreported, Low, Medium, High, Critical. Companies will use these severity levels to determine which bugs to address first.

Vulnerability Details

This will be one of the longest and most important sections of your bug report. It should include:

• Scope of the Bug: Where you discovered the bug.
• Description: Your bug report should include descriptive replication steps so the company can reproduce and validate your findings.
• Additional Information: Provide additional details and context to the bug report. Explain what you discovered and describe the risk and impact of the bug on the company, including supporting materials for the company to delve deeper into the vulnerability type.
• Screenshots or Videos: Provide proof of concept (PoC) of the discovered vulnerability by including screenshots or videos in your bug report.

Steps to Reproduce

Every bug report needs to have a step-by-step guide for reproducing the bug. It is crucial that you can reproduce the vulnerability yourself by following these steps, so ensure they are specific and easy to follow.

After all, a bug that cannot be reproduced is a bug that cannot be fixed.

Proof of Concept (PoC)

A Proof of Concept (PoC) is a practical model that tries to prove a theoretical concept through research, articles, or implementation. In the context of Bug Bounty, PoC refers to developing a practical tool to demonstrate a system’s vulnerability.

You can achieve this in various ways, such as attaching scripts, screenshots, screen recordings, or other evidence of the found vulnerability. This makes your bug report even more effective!

Why is it Important to Write a Quality Bug Report?

Writing a bug report without considering who will read it can be counterproductive. Think of it this way: if you do not specify important information about the vulnerability, it might be considered less severe, which can reduce your reward.

Other reasons to invest more time in writing your bug report with higher quality include:

• A Quality Bug Report Speeds Up the Triage Process: Triage analysts need to read dozens of reports every day. Therefore, an unsatisfactory bug report will take much more time to understand, reproduce the steps, and evaluate the bug’s impact.
• A Good Bug Report Can Increase Your Rewards: Writing quality reports can increase your rewards in two ways:
  • If you provide a high-quality bug report, the teams receiving them will need to ask for fewer details, giving you more time to find new bugs.
  • Many companies offer bonuses if your report helps them quickly and efficiently fix the problem.
• Good Reports Enhance Your Hacking Skills: Mastering the skill of clearly and structurally communicating your bug discoveries adds value to your reports. This is especially useful when showcasing your skills, as you can even include links to your published reports in your resume.

Important Tips for Writing Your Bug Report

As you’ve seen, writing a quality bug report offers numerous benefits for both the bug hunter and the company.

Here are some important tips for writing a quality bug report:

• One Vulnerability per Report: It’s common to find more than one bug in a system when testing. However, it is crucial to report only one problem per report. Reporting multiple issues can confuse the developer and complicate bug fixes.
• Provide Context: Don’t forget to provide context about the bug. The more information your report contains, the better for the development team, the company, and you.
• Respect Scope Rules: The first thing triage analysts do when they receive a bug report is to check if the report is within scope. Ensure that vulnerabilities listed are within the program's policy.
• Add Extra Information: If you realize you missed an important detail or if the bug’s risks are different from what you initially thought, add more information! It’s better to add a comment and explain the situation than to leave it as is.
• Use References: References make everyone's work easier! Add links to external resources like blog articles, published reports, case studies, or other information that can support your report.

Be a Bug Hunter

Now that you know how to write a quality bug report, why not check out BugHunt?

We are the first collaborative bug bounty platform in Brazil. With us, you can sign up for free to start hunting and reporting bugs to various participating companies!

Make a real difference by protecting company environments and making the internet safer. Join us and work alongside some of Brazil’s top bug hunters!

Click here and get started now!