One of the most common questions we get from new hackers is "How can I get along better with security teams and bounty administrators?"
We get it. There are cases when you submit a report and the communication with the team on the other end goes wrong. You may be left wondering why. While we don't have all the answers, we put together some guidelines to help any hacker communicate more effectively with security teams. At HackerOne, our goal is to make vulnerability reporting safe and rewarding for all parties involved, and we hope you'll find these tips useful when you submit your next report. Our next entry in this series will focus on how security teams can improve their communication with hackers.
1: Be professional with your communication.
It all starts with tone. While tone is hard to master, an objective one seems to work well in nearly all cases. Security teams that are hosting bug bounty programs or vulnerability disclosure programs do so because they want to hear from you. They believe in the service that you provide, otherwise they would not have a program to begin with. But often times your bug is one of many things they must address on a given day, including authoring code, testing and fixing. To make your reports easier to process, present your findings in a clear, composed and concise manner without unnecessary commentary. Clear and professional communication is highly appreciated and can boost your standings with a security team, and even in the industry for future opportunities.
2: Avoid Internet or other types of slang.
Assume the person on the other end of the Security@ inbox is not versed in emoji, l33t sp34k, or using a few characters instead of full words. When possible, try to avoid using these shortcuts because it makes your report harder for teams to decipher. Slang can slow down responses, result in miscommunication and be seen as unprofessional. If slang is an important part of your communication style, consider waiting until you establish a better relationship with the team. It's also always best to avoid using profanity.
3: Provide deep detail and repro steps.
This is one of the most important things you can do. Security teams often have limited resources, so the more useful information you can provide, the faster they can verify your issue for triage. In general, it's best to detail the following information in reports: What is the bug, what can an attacker do with it, and what steps will reproduce the issue. If you are unable to explain how to reproduce the issue consistently, that might indicate the bug needs more research before you submit it.
Here's a great example of a useful report that enabled a team to quickly triage and fix the issue.
4: Establish a schedule for updates, and don't spam.
Everyone likes to know their issue is being worked on. However, not all security teams communicate at the same speed. One way to set expectations is by suggesting a timetable for updates in your report. This can help both parties, and spare you from constantly wondering if your report is getting reviewed.
Here is something you can write to help proactively manage expectations:
"Do you have an estimate on resolution time? If not, are you comfortable if I check in after a week?"
5: If English is not your native language, let them know.
For some, writing can be a challenge, and it can be especially difficult if it's not in your native language. The security team to whom you are reporting will have more empathy for you, likely spending a little more time looking at your report, if you let them know that English is not your native language. At the beginning of your report, you can add "I hope my report is clear. Please note that English is not my native language." Translation technology has come a long way, but it can also generate some awkward sentences, sometimes changing what you meant to express. You can help prevent misunderstandings by noting this. In this case, write something like: "Because writing in English is hard for me, I used translation software for my report. I hope that the output is clear."
6: Avoid holding grudges.
Sometimes when communication doesn't go well, it can make you feel frustrated about a security team. However, to maintain good relationships and increase your chances for a thorough review of your reports, avoid letting past feelings impact new reports you submit. Those feelings can negatively impact future interactions with a team, even if you're dealing with a different reviewer who may not have context about your earlier experience with that team. Managing a positive relationship with a security team is in your best interest, and each new report you submit offers an opportunity to improve that relationship.
We hope you found these suggestions useful. For more information, check out our disclosure guidelines page: https://hackerone.com/disclosure-guideline. And if you have other tips or feedback, please pass them along and we'll add them to the list. As always, please feel free to email us directly at firstname.lastname@example.org.
In a future blog post, we'll provide a similar list that can help security teams better manage relationships with hackers through how they communicate. Until then, hack on!
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.