Is your bug report a signal or just more noise? Because our time is the most valuable resource. We need action, not static.
Security vulnerabilities are a fact of life. And problem is the inefficiencies that prevent us from fixing them at warp speed. Low-quality, unfocused reports are the bureaucratic equivalent of a long, pointless meeting. They waste valuable engineering hours, clog the triage pipeline, and prevent us from addressing the critical issues that actually matter.
We spent hours trying to make sense of a report that lacked a clear path to reproduction. Don’t be that report.
The cost of “crying wolf”
Crying wolf is for fairy tales. In engineering, we call it inefficiency. When a report lacks evidence or a clear path to reproduction, our triage team is forced to waste time validating something that might not even exist. This erodes trust, slows down the feedback loop, and makes it less likely you’ll be rewarded for future, valid findings.
Your mission is to make the triage engineer’s job as easy as possible. The simple test: would a competent engineer, operating on first principles, be able to reproduce your finding in less than 15 minutes?
The Anatomy of a High-Quality Report
A great bug report is a concise technical brief, not a rambling email. It follows the principles of lean manufacturing and first-principles thinking: remove everything that doesn’t add value.
- Title (1 line): Short summary + affected area. Be specific.
- Executive summary (2–3 lines): Impact and scope. Get to the point.
- Affected systems: Exact endpoints, versions, environments. Don’t make us guess.
- Steps to reproduce: Numbered, minimal, copy-pastable. No excuses.
- Proof-of-concept: Script, curl commands, screenshots, or logs. Show your work.
- Impact assessment: Confidentiality, integrity, availability, and exploitability. Quantify the risk.
- Environment details: Staging vs prod, auth state, headers, cookies. Provide context.
- Evidence: Request/response with headers, timestamps, log excerpts. Proof is everything.
- Suggested remediation: Concise recommended fix and references. Offer a solution.
- Disclosure timeline & contact: Preferred communication and expectations. Be direct.
How to write reproducible steps (example)
We need a recipe for reproduction. If it’s not reproducible, it’s not real.
- Open a clean incognito browser.
- Navigate to
GET /api/v1/items(POST body:{"id":1}). - Set header
X-User: attacker@example.comand observe200 OKwith item listing. - Attach curl command and response body.
This is a concise feedback loop. This is how you drive progress.
Minimal good example (compact)
Title: Account enumeration via /api/v1/users (no rate limit)
Exec. summary: /api/v1/users returns distinct response times that allow account enumeration. Reproducible with curl; affects auth-required endpoints on prod. (Impact: info disclosure)
Steps: 1) curl -I "https://example.com/api/v1/users?email=foo@example.com" 2) Compare response times >0.5s difference. PoC: [attach script].
What not to do (bad example)
“I found an account issue, pls check.” — this is the digital equivalent of a chain-of-command email that says “something is wrong.” It has no endpoint, no steps, no evidence, and no impact assessment. It’s noise.
What to expect from us (company policy)
- We will prioritize reports that are clear and actionable. The reward is directly correlated with the value provided.
- Issues stemming from well-known CVEs or basic hygiene are less likely to receive monetary reward. These are table stakes for a serious security team. We may offer non-monetary recognition if the report shows exceptional rigor.
Quick template
Use this template. Don’t add anything to it unless it serves a specific, verifiable purpose.
1 | Title: |
Closing: fixes deserve credit, not noise
If you want your reports acted on quickly, make them actionable. Don’t waste our time. Give us the tools to fix real problems, and we’ll reward meaningful work fairly.