Skip to main content

Manage my first Bug Bounty vulnerability report

Discover the key steps and actions to take with your reports

Updated over a week ago

Where do I find my Vulnerability Reports?

  • Go to the “Vulnerability Center” page

  • Click on a “Report Title” to open a given report

ℹ️ Learn more about the structure of a report and the detailed information it contains here.

⚠️The following sections outline the process for organizations that rely on YesWeHack for triage. If you're managing triage internally, please go to this dedicated article.

What can I do with a new report?

There are several options once you receive your first vulnerability report. Keep in mind that your Customer Success Manager is here to guide you throughout the process and help you choose the best move forward. Do not hesitate to reach out to them if you have any question.

Accept the report & pay the reward

If your program is fully managed, YesWeHack triage team will provide you with suggestions about the status, the report severity (based on CVSS), and the reward to set.

Follow the next steps to display this assessment and take actions:

  • Click on “Go to assessment” on the right-side panel

  • You will end up on the assessment written by the triage team. This is a special comment in the report’s thread only visible by your organisation

The initial CVSS displayed when you received a report is the one set by the Hunter. The YesWeHack triage team will review it and sometimes suggest a change. The reasons for that change are detailed in the assessment.

  • Click on "Apply this CVSS” to modify the CVSS based on triage’s suggestions

This will open a new modal with all the CVSS dimensions and explanations for those which have been modified.

  • Click on “Save” to apply this suggestion. These modifications will also appear in the comment thread of the report

  • Click on “Change as Accepted” to accept the vulnerability report

This will bring you to the action panel at the end of the report, where you can change the status together with a comment. You can also directly select a comment template:

The suggested reward by the YesWeHack triage team matches the suggested CVSS and your reward grid.

  • Go to “Set this reward” if you agree with the triage team suggestion

This action will redirect you to the “Set Reward” tab in “Actions” part of the report:

  • Verify the “Reward amount”

  • Enter your “password”

  • Put “Reward Allocation Tags” or write a “comment” (optional)

  • Click on “Set Reward”

Talk to your team

  • Click on “Actions”

  • You will be redirected automatically on the comment section

  • Assign specific members of your team to this report

  • Write your comment

  • “Post comment to team”

ℹ️ Your comment will only be visible to the recipient(s).

Talk to the triage team

Use case: You would like more information about the suggestions provided by the triage team.

  • Go to "comment for triagers"

  • Upload images/videos or a live recording (optional)

  • Post your comment, you will be replied to shortly!

Talk to the Hunter

Use case: : You need more information to reproduce the vulnerability. Send a message to have a clarification from the hunter.

  • Click on “Actions”

  • Select “Comment for hunter” tab

  • Write your message

  • Upload images/videos or a live recording (optional)

  • “Post comment to hunter”

Ask the Hunter to verify your fix

Use case: Your tech team deployed a fix for this vulnerability. Ask the hunter to confirm the vulnerability is now patched and cannot be bypassed.

  • Click on “Actions”

  • Select “Ask for fix verif.” tab

  • For the comment, select the template “YWH - Accepted > ask for fix verif”

  • Upload images/videos or a live recording (optional)

  • Click on “Ask for fix verification”

ℹ️ The Hunter will then confirm the fix, or reject it and indicate that the vulnerability remains.

The report status will be accompanied by an icon to track the progression. For instance, in the Vulnerability Center:

Icons definition:

Pending fix verification

Fix confirmed

Fix rejected

Close your report

Use case: A vulnerability has been fixed and the report has to be closed. Change its status from “accepted” to “Ask for fix” to close the report.

ℹ️ To learn more about the report workflow, read this article.

  • Click on “Actions”

  • Select “Change Status” tab

  • Select the “Close” status and a reason

  • Write a comment (optional)

  • Upload images/videos or a live recording (optional)

  • Click on “Change status”

Related Articles
How to Manage a New Report When Handling Triage Internally
Bug Bounty program creation
Support & resources
Vulnerability Reports
Vulnerability Reports Workflow
Did this answer your question?