Bug Bounty Report Writing

Step 1: Craft a Descriptive Title

Wrong Example

"IDOR on a Critical Endpoint"

Correct Example

"IDOR on https://example.com/change_password Leads to Account Takeover for All Users"

Step 2: Provide a Clear Summary

Correct Example

The https://example.com/change_password endpoint takes two POST body parameters: user_id and new_password. A POST request to this endpoint would change the password of user user_id to new_password. This endpoint is not validating the user_id parameter, and as a result, any user can change anyone else's password by manipulating the user_id parameter.

Step 3: Include a Severity Assessment

Evaluate severity based on CVSS:
  • Low severity: open redirect only for phishing
  • Medium severity: CSRF on password change
  • High severity: open redirect for OAuth
  • Critical severity: SQL injection leading to RCE

Step 4: Give Clear Steps to Reproduce

Wrong Example

  1. 1.
    Log in to the site and visit https://example.com/change_password.
  2. 2.
    Click the Change Password button.
  3. 3.
    Intercept the request, and change the user_id parameter to another user's ID.

Correct Example

  1. 1.
    Make two accounts on example.com: account A and account B.
  2. 2.
    Log in to example.com as account A, and visit https://example.com/change_password.
  3. 3.
    Fill in the desired new password in the New Password field, located at the top left of the page.
  4. 4.
    Click the Change Password button located at the top right of the page.
  5. 5.
    Intercept the POST request to https://example.com/change_password** and change theuser_id` POST parameter to the user ID of account B.
  6. 6.
    You can now log in to account B by using the new password you've chose.

Step 5: Provide a Proof of Concept

Include a video, screenshots, or photos documenting your exploit. If there is a payload involved, include the payload as well.

Step 6: Describe the Impact and Attack Scenarios

Correct Example

Using this vulnerability, all that an attacker needs in order to change a user's password is their user_id. Since each user's public profile page lists the account's user_id, anyone can visit any user's profile, find out their user_id, and change their password. And because user_ids are simply sequential numbers, a hacker can even enumerate all the user_ids and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.

Step 7: Recommend Possible Mitigations

Correct Example

The application should validate the user's user_id parameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.

Step 8: Validate the Report

Double check that everything is correct.


  • Don't assume anything
  • Be clear and concise
  • Write what you want to read
  • Be professional


Bug Bounty Bootcamp
Bug Bounty Bootcamp - Vickie Li