Practice vocabulary for writing effective bug bounty reports: proof of concept, reproduction steps, impact assessment, scope clarification, and HackerOne submissions.
0 / 5 completed
1 / 5
The working exploit or demonstration code that proves a vulnerability is real and exploitable is called:
The report includes proof of concept (PoC) — triagers need to reproduce the issue; a working PoC dramatically increases report credibility and speed of triage.
2 / 5
The section of a bug bounty report that walks the triager through how to reproduce the issue is called:
Steps to reproduce — clear numbered steps (1. Navigate to X, 2. Enter Y, 3. Observe Z) are essential for the security team to validate the report.
3 / 5
The section of a bug bounty report that explains what an attacker could do if they exploited this vulnerability is called:
The potential impact vocabulary includes phrases like 'an attacker could read all user data', 'bypass authentication', or 'achieve remote code execution'.
4 / 5
When a report explains why a specific behavior is not eligible under the bug bounty rules, this section is called:
The out-of-scope clarification — if you're reporting something adjacent to scope, explicitly noting what's in/out-of-scope shows professionalism.
5 / 5
When a researcher submits a report through a company's HackerOne program, they would say:
I'm reporting this through your HackerOne program — specifying the platform helps the security team route the report correctly and confirms you followed the proper channel.