Even if you have identified a highly critical vulnerability in the application of a bug bounty program, if the vulnerability report is not clearly written and explained, there are chances that the vulnerability may be rejected by the program. Before writing a bug bounty report, it is crucial that you identify the nature of the program.
Reading the scope of the bug bounty is probably the most important thing you should do before even looking at the program's website. It will be really frustrating when you spend a week looking for vulnerabilities in a bug bounty program only to find out that the domain that you tested is not included in the scope. The conventional scope of a bug bounty program contains the following bits of information:
- Mission statement
- Participating services
- Excluded domains
- Rewards and qualifications
- Eligibility for participation
- Conduct guidelines
- Nonqualifying vulnerabilities
- Commitment to researchers...