Not all great vulnerability reports look the same, but all of them share some common features. Reports should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept (POC). If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. Screenshots and/or videos can assist security teams to quickly reproduce the issue, but make sure you closely read each program’s Security Page and scope as not all programs accept them.
Here are some excellent, publicly disclosed HackerOne examples of good reports:
- Twitter disclosed on HackerOne: URGENT - Subdomain Takeover
- Shopify disclosed on HackerOne: Attention! Remote Code Execution
- Square disclosed on HackerOne: Delayed, fraudulent transactions