Importing Reports
The YesWeHack platform facilitates the aggregation of Vulnerability Reports coming from multiple sources.
Whether they’re from other Bug Bounty programs, other platforms, VDPs, pentest campaigns, scanner’s output, or any other tool.
ℹ️ You must be a BU Owner, BU Manager, or Program Manager to be able to import new reports in a designated program.
The program must also be validated.
How it works
Go to the “Admin Panel”
Select the program of your choice
Click on “Report imports” on the left-end side menu
⚠️ Only import Vulnerabilities that are in scope, and qualifying, to be consistent with your program rules.
Click on “Import reports” on the top-left of the screen
A new modal will appear, it contains:
A link to download a CSV template with all the different fields used in the YesWeHack platform. A new report will be created for each line filled out.
A dropdown section to upload the YesWeHack CSV template once filled, or your own files.
The template includes both mandatory and optional fields. Please review the details and examples below before filling it out:
Column name | Mandatory yes/no | Description | Example |
title | yes | The title of the report.
(250 chars max) | [CVE-2020-14174] IDOR on https://api.example.net through https://api.example.net/profile.php via GET parameter user_id leads to Arbitrary File Read |
description | yes | The description of the report, completed by the report author.
Markdown format is supported. | Exploitation
|
status | yes | The default value is "accepted". | accepted |
status_at | no | The date of the last report status change with the 'yyyy-MM-dd HH:mm:ss' format. | 2025-04-28 10:34:13 |
cvss_score | no | The CVSS 3.0 score of the report, from 0 to 10. The number is rounded to the nearest tenth. | 5,1 |
application_finger_print | no | The application fingerprint of the vulnerability. (max = 250 characters) | Symfony; PHP |
bug_type | no | Text containing a single value in "CWE-***" format. The bug type must be defined in the list of platform bug types. | Direct Request (CWE-425) |
cve_id | no | CVE name written like CVE-YYYY-NNNN | CVE-2025-46661 |
impact | no | Impact lists in the plateform. The impact type is defined by category. | Account Takeover |
created_at | no | The date of creation of the report with the 'yyyy-MM-dd HH:mm:ss' format. | 2025-04-28 10:34:13 |
cvss_vector | no | A CVSS 3.0 vector of the report, following the standard syntax. (https://www.first.org/cvss/v3.0/specification-document) | CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:L/A: |
end_point | no | The endpoint of the vulnerability. | |
hunter_email | no | The email of the hunter who wrote the report. No hunter will be linked to the report if it is not defined. The hunter will then claim the report. (min=6, max=180) | |
vulnerable_part | no | The report vulnerable part. ('cookie', 'get-parameter', 'header', 'http-method', 'other', 'path', 'post-parameter', 'undefined') | cookie |
part_name | no | The part name of vulnerable part. (max = 250 characters) | url |
payload_sample | no | The payload of the report. | |
priority | no | Number between 1 and 5. The value can also be prefixed with P or p (ex: P1). | P5 |
scope | no | The scope of the report. The scope list is defined on the Bug Bounty settings (max=255) | |
source | no | The import report source. (max=50) | Internal information system |
source_ips | no | Used report IPs. From one to ten IP addresses separated by commas. | 13.37.13.37,13.37.13.38 |
source_url | no | Import report source url. (255 chars max) | |
tags | no | The report tags, from one to ten separated by commas. | tag1,tag2,tag3 |
technical_environment | no | The technical environment of the report. (250 chars max) | OSX 10.14.6; Firefox 68.0 |
ask_for_fix_verification_status | no | Status to follow the ask for fix verification process. (unknown, cancelled, confirmed, pending) | pending |
⚠️ Ensure your CSV file is properly formatted, as special characters often cause import errors.
Also, make sure to accurately map the fields from your uploaded file(s) (right) to the platform's expected format (left) to avoid compatibility issues:
An error will be triggered if something went wrong with the import (e.g., field format). A CSV with the details of the error will be attached to help you understand and correct the report import.