How to write great bug bounty submissions

Larry Tremblay
Larry Tremblay / June 15, 2020

Getting clear and concise details on any security issue in Zapier is essential to ensure we can quickly triage and confirm your submission. Here, we've provided a suggested format and some tips for writing a great bug bounty report.

Before submitting, please refer to the security exploit bounty program page for guidelines on what types of issues to report and how to send them to us. And while we're happy to accept multiple submissions from users, please only submit one issue per email to make it easier for us to track submissions.

What to include in your bounty report

At a minimum, we ask that you please include all of the following sections in your bug bounty report:

  • Summary: A short description of the issue
  • Steps: The exact steps you took to exploit the issue
  • Proof of concept: Proof that the exploit works against Zapier
  • Impact: In your own words, a description of what an attacker could do to exploit the issue and how it would affect Zapier

Summary of the issue

In a few sentences or less, briefly describe the issue you've found.

Your summary should:

  • be written by you and not copied and pasted from another source
  • refer directly to the issue you're describing and not use descriptions from a similar submission against another application
  • explain how the issue applies to Zapier

Here's an example of a good bug bounty summary:

I found that the API endpoint /api/v3/users does not have proper authorization checking and will list users for any authenticated request.

And another:

I found the values "id_token" and "password" in publicly available HTML and think that might be a sensitive information leak

Be specific! It will affect the size of your bounty if we have to do more work to validate your submission because of lack of detail.

Steps to recreate the issue

To verify your submitted issue is real and qualifies for a bounty, it's critical that we can reproduce it. Please include every step a user needs to take to reproduce the issue, even ones you may think are obvious or implied. If we can't reproduce your issue, we can't verify it.

Here's an example of steps we could follow and reproduce:

  1. Log into your account
  2. Go to https://zapier.com/app/settings
  3. Start an intercepting proxy
  4. Click on some feature in the settings and capture the request
  5. In the request, change the user_id value to something else, and the request should be allowed to continue
  6. Examine the response from to see that you have retrieved another user's data

Proof of concept for the issue

Adding a proof of concept that demonstrates the issue being exploited against Zapier will help us more easily triage your submission and make it more likely you'll receive a reward. You can illustrate your proof of concept with a video and/or screenshots.

Attach screenshots directly to the email. We ask that any videos you submit are:

  • short and to the point
  • attached directly to the email if they are under 10MB in size or uploaded to a reputable video hosting platform such as YouTube, Dropbox, or Google Drive
  • private on the hosting site

Impact of the issue

In your own words, describe how exploiting the issue will affect Zapier. This helps us determine the severity of the issue and the likelihood that it will be exploited. Include as many details as are needed to fully describe the issue, but please keep it as concise as possible.

A well-written description of the impact will include:

  • how an attacker could exploit the issue
  • a clear, straightforward explanation of the consequences of the exploited issue (for example, reading in a user's session cookies, accessing sensitive user information, etc.)
  • a description of any pivots from this issue to others
  • specific things you found (like "id_token" and "password")

When writing about the impact, please don't:

  • describe "if", may", or "might" scenarios
  • make generic references to things that might be an issue (e.g. "search for token, id, password, etc.")
  • sensationalize the severity or likelihood of the issue
  • copy and paste generic descriptions from other websites; describe exactly how exploiting the issue will affect Zapier in your own words

What makes a good or bad bounty?

Good bounties

  • Provide an easy-to-follow, step-by-step way to reproduce the problem (the more detail, the better!)
  • Provide a clear description of the impact
  • Include specific details, such as browser versions
  • Clearly describe the attack vector
  • Have a proof-of-concept that is specific to Zapier
  • Include suggested mitigations

Bad bounties

  • Have proof of concepts that are copied directly from websites or are outputs from scanning tools
  • Provide a generic description of the issue that doesn't show how that issue exists on Zapier
  • Reference issues that are copied and pasted from other bug bounty websites
  • Make unreasonable claims about the impact or severity of an issue

Load Comments...

Comments powered by Disqus