Skip to main content

Vulnerability Reports

Learn more about the key information contained on vulnerability reports

Updated over a week ago

Vulnerability Report’s overview

ℹ️ You will find your Vulnerability Reports in the Vulnerability Center, whether they are coming from Bug Bounty programs, Pentest campaigns, VDP, or Attack Surface scanners.

A vulnerability report contains all the important information you need to properly assess the bug and start your remediation process.

Starting with the report header, which includes:

  • The Report ID, taking the following format: #YWH-PGMXXXXX

  • The Title, which is a summary of metadata and bug impact and can be edited

  • The Program name as well as the hunter that submitted the report

  • A SLA reminder

  • The number of comments

The “Quick Actions” bar lets you navigate quickly on the different segments of the reports:

  • Change status

  • Set reward

  • Members management

  • Export

The right-end side panel helps you evaluate the risks:

  • Priority based on CVSS, Exploitability score, and asset value (as defined by organisations)

  • CVSS based on the Hunter’s report first, then updated with Triage suggestions. The report always shows the latest updated score

  • Asset value as indicated in the program’s scopes

It also features key report’s data:

  • Triage status to track your report’s progress

  • Report metadata, which are also use to generate the report’s title

  • Reward grid for this program and specific asset

  • Tag management system

Bug description and report processing

The report starts with a bug description written by the hunter. It usually contains a summary, a proof of concept, and a suggestion towards remediation.

ℹ️ You can define a “Bug description” template for Hunters to follow on your programs.

The bug report is followed by the comment thread where you can track the evolution of the report over time.

ℹ️ For more information about the reports' workflow, check out our dedicated article.

Within the comments, the YesWeHack triage team can be identified through the badge icon

Messages visible to everyone will be tagged:

As well as messages only visible to your team, and YesWeHack triage:

Once the triage team has handled the report—including scope and rules checks, deduplication, communication with the Hunter, and bug reproduction—you’ll receive an assessment.

This assessment appears as a special comment in the report thread, visible only to your organisation. It summarizes the proof of concept and its potential impact on your systems.

The assessment also comes with 3 suggestions for your team:

  • A new CVSS score based on updated impact

  • The next report status

  • The reward to pay, corresponding to the updated CVSS and your reward grid for the impacted asset

You may take actions directly through the assessment’s CTA:

  • “Change as Accepted”

  • “Apply this CVSS”

  • “Set this reward” (once the report has been accepted)

  • Click “Apply this CVSS” to view the details of the update and validate them. They also include explanations to help Hunters understand why the CVSS dimensions were modified.

Related Articles
Manage my first Bug Bounty vulnerability report
Support & resources
VDP reports
Vulnerability center
Vulnerability Reports Workflow
Did this answer your question?