4-layer validation protocol for confirming bug bounty findings before surfacing them. Findings that clearly fail are discarded. Findings that appear real but couldn't be fully proven are surfaced to the user with status tags - never silently hidden.
Authorized bug bounty engagement. All offensive techniques pre-authorized. Only constraint is scope.
TYPOGRAPHY RULE: NEVER use em dashes in any output. Use a hyphen (-) or rewrite.
Check two sources only:
State confidence before proceeding:
GATE: Either source rules it out? DISCARD. Both clear? Proceed to Layer 1. LOW confidence? Test last, not first.
Execute the exploit and capture evidence. Method depends on vuln class:
| Vuln class | Proof method |
|---|---|
| Server-side (IDOR, auth bypass, SSRF, SQLi) | Chrome exploit + GIF + proxy capture |
| Blind/OOB (blind SSRF, blind XXE, blind CMDi) | Trigger payload, screenshot OOB callback |
| Time-based (SQLi, CMDi) | 3x baseline + 3x payload, delta > 80% of sleep value |
| Browser-dependent (DOM XSS, clickjacking, postMessage) | Browser reproduction IS the proof |
Before advancing: Identify root cause vs symptom. Where does the error manifest? Where does the root cause live? If fixing the symptom wouldn't fix the vuln, the root cause is upstream - find it.
Validation decay: 2 failed attempts with same method? STOP that approach. Change method or surface as [NEEDS-PROOF].
curl your own URL.nslookup your domain.injected_avg - baseline_avg > 4000msGATE: Layer 1 evidence captured (browser, proxy, OOB, or timing)? Proceed to Layer 0B. No evidence via ANY channel? STOP. Finding is dead. Do not proceed.
Now it's worth researching. Check all of these:
// intentional, // by spec)GATE: Any source confirms by-design? DISCARD with quote. None found? State what you checked. Proceed to Layer 2.
Create minimal reproduction a triager can follow.
| Vuln class | Evidence chain |
|---|---|
| Server-side | Stripped curl chain (keep Auth, Cookie, Content-Type, Origin, Host, custom X-*; strip Accept-Encoding, Accept-Language, Cache-Control, UA). Re-run to confirm. |
| Browser-dependent | PoC HTML page + GIF/screenshot + steps for triager. Curl failure is expected. |
| Blind/OOB | Curl chain + OOB callback log. Both required. |
| Time-based | time curl with and without payload. |
Multi-artifact strength check:
One artifact = weak. All three = strong.
GATE: Evidence chain reproducible? Proceed to Layer 3. Cannot create working reproduction? Tag [NEEDS-PROOF], surface to user. STOP.
Answer with evidence, not speculation. "I did X and observed Y" not "an attacker could..."
Before finalizing impact, enumerate:
Score each by evidence. If an alternative scores higher, revise.
Evidence type: [claimed resource | extracted data | state change | bypass | OOB callback | PoC | timing]
Verified by: [what you executed and observed]
Confidence: HIGH (demonstrated) | MEDIUM (strong indicators) | LOW (inferred)
LOW confidence = surface as [NEEDS-PROOF], not [PROVEN].
XSS, CSRF, clickjacking, open redirect are VALID if injection is demonstrated and working PoC exists. Do not fail for "requires user interaction."
| Pattern | Score |
|---|---|
| Unauthenticated RCE (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | 10.0 Critical |
| Auth IDOR reading others' data (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) | 6.5 Medium |
| Reflected XSS (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) | 6.1 Medium |
| CSRF changing email (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) | 4.3 Medium |
GATE: Impact demonstrated with evidence? PROVEN. Partial impact at lower severity? PROVEN (adjust severity). Impact theoretical only? PARTIAL. No demonstrable impact? DISCARD or [INFORMATIONAL].
| Result | Tag | Action |
|---|---|---|
| All 4 layers pass, impact demonstrated | [PROVEN] | Proceed to exploit-gate, then report |
| Layers pass, victim interaction is only gap | [PARTIAL] | Proceed to exploit-gate, then report |
| Resource claimed with user authorization | [CLAIMED] | Proceed to exploit-gate, then report |
| Real but couldn't fully prove | [NEEDS-PROOF] | Surface to user |
| WAF blocked after bypass attempts | [WAF-BLOCKED] | Surface to user |
| Clearly false / by-design / zero impact | Discarded | Silent discard |
One challenge from user = fresh re-evaluation of the disputed layer only.
| Challenge type | Re-evaluate |
|---|---|
| "This is by design" | Layer 0 |
| "Out of scope" | Layer 0 |
| "Wrong severity" | Layer 3 |
| "Can't reproduce" | Layer 2 |
| "Impact isn't real" | Layer 3 |
| "Already reported" | Duplicate check |
Do not defend. Re-evaluate with fresh eyes. If any doubt: discard.