After practicing with the Dojo challenges, you can start finding vulnerabilities on YesWeHack public programs. If you submit high-quality reports, you may then be invited to join private programs.
Before testing, make sure to carefully read the program description and rules to ensure you fully understand the scope of the program you are targeting.
Once you have identified a vulnerability, follow the steps below to submit your report. This article also outlines the potential scenarios that may prevent you from submitting a report.
How to submit a report?
ℹ️ Before submitting a report, please carefully read our Platform Code of Conduct to learn more about the rules on the YesWeHack platform.
Login to your hunter account on the YesWeHack platform
Go to the “My Programs” tab
Click on a program card
ℹ️ Learn more about how to select a program here.
Click on “Submit report” to open the form
Fill in all fields with the required bug details
ℹ️ Read this article to learn more about each of the following fields that refer to report metadata.
Assess each metric to calculate the CVSS score for your report
Click the button on the right to automatically generate a report title
ℹ️ Learn more about report title generation here.
Provide a detailed description of the vulnerability. You can use your own template or a recommended template provided by the organisation to help structure your report easily.
ℹ️ Learn more about how to create a report template here.
Attach images or videos to help triagers assess your vulnerability report (Optional)
Check the box if you want to chain your bug to another
Click on “Submit”
Confirm your report submission
Your vulnerability report now appears in your “Reports” tab with a “New” status.
You will be notified of any updates to your report through notifications. Click the bell icon in the top-right corner to access them.
Why am I unable to submit my report?
KYC verifications
To submit a vulnerability report on a program, you must be KYC-verified.
If you have not confirmed your identity, complete the KYC process first.
Once your profile is validated, you will be able to submit your report.
ℹ️ The YesWeHack Dojo program is exempt and remains accessible to hunters who are not KYC-verified.
ℹ️ To know how to get your account verified, click here.
Disabled program
Organisations can enable or disable a bug bounty program
You cannot submit a report when a program is disabled
ℹ️ You can continue to communicate with the Program Managers regarding ongoing vulnerability reports (submitted before the pause), even if the program has been suspended.
Stay informed about any program updates via notifications
Submission limit
To ensure high-quality submissions across the platform, the number of reports you can have open at the same time depends on the following rules:
ℹ️ It only concerns Bug Bounty and Featured Vulnerability Disclosure policy reports. Dojo reports are excluded.
If you’re just getting started and don’t yet have reports in the following statuses — Accepted, Duplicated, or Resolved — you can have up to two reports open simultaneously.
If you’re a seasoned Hunter but still receive this message, it’s because of your ADR reports' ratio.
The ratio is calculated as follow: Number of ADR reports (Accepted, Duplicated, Resolved) / Total submitted reports
If this ratio is less than 15%, you are limited to four open reports at a given time.
When your ADR ratio exceeds 15%, you can submit an unlimited number of reports on the platform.
Prioritise quality in your vulnerability reports to earn points and rewards.
ℹ️ Please reach out to YesWeHack support by email at [email protected] if you need assistance or platform support. For more information about support and resources, click here.