During this event, we will have a few bonuses up for grabs in each round of the event. Read on to learn how you can earn them!
Each day, around 5pm ET, a tweet from @theparanoids will announce the Hacker of the Day!
The Hacker of the Day will be chosen daily based on report impact, report write up quality, and positive contributions to the community. The winner will be notified beforehand allowing an opportunity to provide their Twitter handle for inclusion in the tweet (optional).
What does Verizon Media look for in a good report?
An extra few minutes on a report can potentially save you hours once it has been submitted. Remember, the issue may be clear to you, but if it cannot be replicated with easy to follow instructions you will likely receive this status change:
At this point, you may have to rewrite your whole report again - when this time could have been spent looking for another vulnerability aka $$. Take a moment to review with us the key components of a good report.
Verizon Media has a large presence on the internet. Select the asset that aligns as closely as possible with where you found your vulnerability.
Select the weakness that best describes your vulnerability. You may refer to the program policy page for a lookup table of common vulnerability names and the CWE that we usually associate with it.
While optional, this part of the report is usually the most contentious as it directly correlates to a potential bounty award. Try and be as honest as possible with yourself and us. Marking a report as critical all the time does not work in your favor and it does not help you jump the queue. We read every report with fresh eyes, but if you have trained us to expect that your severity is wrong, it may be hard to change that perception.
It should be noted that Verizon Media will make the final determination on impact. At times we have reduced severity and provided an explanation as to why and other times we have increased the impact after further internal investigation.
It’s a simple field, but can be an effective tool in drawing attention to your report. The title is displayed within H1 email submission reports and within the H1 inbox. This is a good chance to roll together the asset, attack, and result into one line.
Example: "UnAuthenticated Boolean Based SQLi - foo.bar.media.yahoo.com"
Start with a one paragraph description of your report. This is the first text we read - is it enough to convince us you found an issue? Some additional items to include within the summary are:
If this section is not clear in your report, expect the status icon (purple) on the report to turn to light blue (bad) instead of going orange (good).
Below are some simple considerations:
Some of the best reports we have seen also include a detailed explanation of how the hacker came to testing this specific thing, and why they tried this type of attack in that place.
Hopefully this overview is useful to level up your report writing skills. We certainly hope so!