Report writing protocol - structure, checklist, and templates for H1 reports that pass triage on first review.
All must be true before writing:
[Vuln Type] in [Feature/Endpoint] leads to [Impact]Gate: All checked? Write the report. Any unchecked? Fix first.
# [Vuln Type] in [Feature] leads to [Impact]
## Summary
{What you accomplished in 2-3 sentences. Lead with result, not discovery method.}
## Expected vs Actual Behavior
**Expected:** {What should happen - specific security control}
**Actual:** {What actually happens - lead with the exploitation result}
## Steps to Reproduce
### Prerequisites
- Account A (victim): {email}, ID: {id}
- Account B (attacker): {email}, ID: {id}
### Steps
1. {exact URL or curl command}
2. {next action}
3. Observe: {what confirms the vuln}
## Impact
This vulnerability allows an attacker to {specific capability}.
**Affected users:** {scope/count}
**Business consequences:** {regulatory, financial, reputational}
## Supporting Material
{Screenshots, videos, HTTP logs - attached as files}
## Severity Justification
**CVSS 3.1:** {vector string} = {score} ({rating})
Per {program}'s policy: "{quoted section}"
## Recommended Fix
{Actionable remediation - where to add the check, what to validate}
If any response looks like failure (success: false, error codes, empty arrays):
Gate: Every ambiguous response explained inline? Proceed.
| Vuln complexity | Minimum evidence |
|---|---|
| Simple (XSS, open redirect) | 2 screenshots + curl |
| Medium (IDOR, auth bypass) | Screenshots + HTTP request/response + JSON |
| Complex (chain, race condition) | Video + screenshots + automated PoC script |
| Critical (S3 takeover, RCE) | Actual proof of claim + video + script |
Gate: Evidence meets minimum for complexity level? Proceed.
Use business language, not technical:
| Write this | Not this |
|---|---|
| "Attacker accesses all customer payment data" | "Parameter is injectable" |
| "Complete account takeover for any user" | "Missing authorization check" |
| "Affects all 10M users" | "XSS vulnerability exists" |
| "GDPR Article 32 violation (4% revenue penalty)" | "Data is exposed" |
Gate: Impact uses business language with scope quantified? Proceed.
Gate: CVSS + policy quote + comparable report? Proceed.
| Severity | Submit when |
|---|---|
| Critical/High | Immediately (duplicates are time-sensitive) |
| Medium | Same day |
| Low | Batch weekly |
Best days: Tuesday-Thursday. Avoid Friday afternoon and weekends.
Gate: Severity-appropriate timing? Submit.
After writing, verify against these failure modes (from real experience):
| Failure mode | Prevention |
|---|---|
| Analyst can't reproduce | Every step has exact URL + paste-ready command |
| "How did you get the token?" | Full auth flow documented with exact curl |
| "Is this exploitable?" | Lead with successful result, show leaked data |
| "Can you demonstrate?" | Actual PoC attached, not just description |
| Ambiguous response confusion | Explained at the step, not 100 lines later |
Gate: No failure modes present? Report is ready.