A bounty hunters most important skill is to find bugs.

However, once you find that sweet sweet crit, you need to communicate your finding to the team. So the team can fix it, and so you can get that nice bounty.

There are different ways that you can structure your report, but make sure that they include the following key elements:

Impact

Why should the reader care for your report?

Explaining and convincing the reader of the severity of the issue described in your report serves two important purposes:

One, it tells the triager and development team how urgent this issue is. Do they need to drop everything, or can they get to this report in a minute?

Two, the impact is the main factor in establishing the bounty award. So make your case succinctly and convincingly.

Explanation and Credibility

What did you find? And how does the exploit work?

Convincing the reader that they should care for your report is great, but they will still have to verify its validity and fix the issue. 

Explain the issue to the reader and provide background where necessary.

A proof of concept can be a great tool here! They are easy to verify, less ambiguous, and even help the team validate a fix!

Help

The goal of any bounty program is to make everything more secure.

Development teams will appreciate you adding a recommendations section at the end of your reports.

These recommendations don’t have to solve the issue at hand completely but should give the development team a head start in fixing the problem.