# Bug Bounty Report Writing

## Step 1: Craft a Descriptive Title

### **Wrong Example**

"IDOR on a Critical Endpoint"

### **Correct Example**

"IDOR on <https://example.com/change\\_password> Leads to Account Takeover for All Users"

## Step 2: Provide a Clear Summary

### **Correct Example**

The `https://example.com/change_password` endpoint takes two POST body parameters: `user_id` and `new_password`. A POST request to this endpoint would change the password of user `user_id` to `new_password`. This endpoint is not validating the `user_id` parameter, and as a result, any user can change anyone else's password by manipulating the `user_id` parameter.

## Step 3: Include a Severity Assessment

Evaluate severity based on CVSS:

* **Low severity:** open redirect only for phishing
* **Medium severity:** CSRF on password change
* **High severity:** open redirect for OAuth
* **Critical severity:** SQL injection leading to RCE

## Step 4: Give Clear Steps to Reproduce

### **Wrong Example**

1. Log in to the site and visit `https://example.com/change_password`.
2. Click the **Change Password** button.
3. Intercept the request, and change the `user_id` parameter to another user's ID.

### **Correct Example**

1. Make two accounts on `example.com`: account A and account B.
2. Log in to `example.com` as account A, and visit `https://example.com/change_password`.
3. Fill in the desired new password in the **New Password** field, located at the top left of the page.
4. Click the **Change Password** button located at the top right of the page.
5. Intercept the POST request to `https://example.com/change_password** and change the`user\_id\` POST parameter to the user ID of account B.
6. You can now log in to account B by using the new password you've chose.

## Step 5: Provide a Proof of Concept

Include a video, screenshots, or photos documenting your exploit. If there is a payload involved, include the payload as well.

## Step 6: Describe the Impact and Attack Scenarios

### **Correct Example**

Using this vulnerability, all that an attacker needs in order to change a user's password is their `user_id`. Since each user's public profile page lists the account's `user_id`, anyone can visit any user's profile, find out their `user_id`, and change their password. And because `user_id`s are simply sequential numbers, a hacker can even enumerate all the `user_id`s and change the passwords of all users! This bug will let attackers take over anyone's account with minimal effort.

## Step 7: Recommend Possible Mitigations

### **Correct Example**

The application should validate the user's `user_id` parameter within the change password request to ensure that the user is authorized to make account modifications. Unauthorized requests should be rejected and logged by the application.

## Step 8: Validate the Report

Double check that everything is correct.

## Tips

* Don't assume anything
* Be clear and concise
* Write what you want to read
* Be professional

## Reference

{% embed url="<https://nostarch.com/bug-bounty-bootcamp>" %}
Bug Bounty Bootcamp - Vickie Li
{% endembed %}