Many people have been asking me this question on twitter about report writing…documentation is very crucial part in any security assessment if you don’t present yourself well you will be kicked off from the game and that’s where we hear most of the time as “duplicates” or “not acceptable” ;)
You need to spend good time on your report writing follow it step by step don’t rush. Good things takes time ❤
Procedure:
Keep your bug report on high priority towards investigator
1.In the subject line mention your type of bug such as “Bug report RCE”
Try to map your bug type with OWASP top 10 categories which helps to catch investigators eye.
2. Write the observation you did when you found the bug mentioning as “Observation”
3. Mention your target affected part as “Affected URL”
4. Always explain the business impact behind the bug “Technical Impact”
5. It’s important to calculate the “CVSS Score” https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
6. Explain about your proceedings how you found the bug which we also say as “Steps to reproduce”
7. Try to attach video POC which gives detail explanation about the vulnerability
8. Being in security it our responsibility to provide “Counter Measure”
