Communications
As ethical hackers, we’re generally spending a tremendous amount of time on finding a valid bug. When it comes to reporting we’re already pretty tired. The process of writing a report might be pretty tedious, especially if we haven’t documented every action we took that brought us to the vulnerable endpoint (seriously, document your steps people). We’re prone to miss out details or we can’t communicate the problem appropriately while we’re writing a bug report. Plus, the wait after submitting a report can be tense since we put so much effort on the entire bug finding process. Sometimes we come off as arrogant when we do not mean to, and it really doesn’t help our hacking adventures. This short guide will give you notes to keep in mind when you’re communicating through your bug and waiting for a result.
Tips to Keep in Mind While Reporting a Bug
There are some key points that you shouldn’t miss in writing a bug report if you want to be taken seriously and earn real-life reputation points:
-
Be clear and write to the point. No one will read about your adventures that took you to that point. Don’t write a scientific article, it’s just a CSRF you’re reporting. Be concise.
-
List the steps clearly. Generally, telling the recipient that they should “Send the following request” won’t work. Because guess what, you didn’t tell them that you have to be logged in, or that the recipient has to replace the cookies with their own.
-
Find the real impact. Pasting a link from OWASP’s website is lazy-work. Great, you’re educated, but no one will click on that link. You’re supposed to read that and apply it to your issue. This is where your persuasion skills will charm the recipient and convince them the issue is a big deal.
-
You’re probably accustomed to the way the vulnerable asset works, so you might skip important steps, assuming the recipient will know what to do. If you’re not good with words, adding screenshots is a great trick but definitely not enough on it’s own.
-
Review your report. Use the magic questions, where [is the problem], what [is the problem], how [do I reproduce it], why [is it important], and see if your report responds to them clearly.
Waiting for a Response
Well done! You submitted a perfect report, time to rest and wait for a reply. This should be easy, right? Well, things might (or might not) take a little longer than you expect. This might be caused by a bajillion reasons but there are two main paths for this:
-
The wait is because of some issue in the way you wrote the report. The recipient will let you know if that’s the case. The same rules above apply in replying to the recipient here. Be as clear as possible.
-
There’s an internal problem. Maybe the server’s down, or there’s some issue about the asset. These are not your concern, and it’s absolutely okay to ask for an update without being rude.
End Notes
Regardless of the reason of the delay or the result of your report, never forget that no matter the situation you do not have the right to bully the recipient or throw a fit. Do not imply anything that might come off as arrogant. Just reply to the questions they ask as clearly as possible, or ask your questions without pettiness. Refrain from using a negative language. In fact, giving gratitude, or wishing someone well would definitely have a huge positive impact on your real-life reputation. You will not only make someone’s day, but your upcoming reports will be gladly tackled. Do not forget that there are many other reports that are dealt with, and you’re working with human beings!
Book recommendation: Write to the Point by Sam Leith.
What are your tips for writing a bug report? Share your thoughts on Twitter under the hashtag #CommsOfEthicalHacker!