Help Center

What does a quality report look like?

Not all great vulnerability reports look the same, but all of them share some common features. Reports should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept (POC). If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. Screenshots and/or videos can assist security teams to quickly reproduce the issue, but make sure you closely read each program’s Security Page and scope as not all programs accept them.

Here are some excellent, publicly disclosed HackerOne examples of good reports:

More great resources for vulnerability report best practices are the Dropbox Bug Bounty Program: Best PracticesGoogle Bug Hunter Universityand A Bounty Hunter’s Guide to Facebook.

Have more questions? Submit a request
Powered by Zendesk