Reports
      Back to home
      1. Knowledge Base
      2. Hunters
      3. Reports

      Reports' Metadata and Title generation

      Learn about the reports metadata and how to automate your title generation.

      What's reports' metadata?

      When submitting a report, Hunters fill out several fields that will make up the report's metadata:
      • Bug type - This field is based on the Common Weakness Enumeration (CWE), which is a standardized categorization of software vulnerabilities. It contains a name and an ID. Each CWE describes a specific kind of flaw that might exist in a system's design, code, or implementation; which could potentially lead to security risks.

        In the example below, the CWE concerns the "Access control issue" category with an "IDOR - Insecure Direct Object Reference (CWE - 639)":
      cwe_1
      • Scope - The scope field enables you to select which asset is impacted by the vulnerability, from all the assets of the underlying program.
      • Endpoint - The endpoint goes together with the Scope to precise the vulnerability scope.
      cwe_2
      • Vulnerable part - This metadata includes API parameters, HTTP methods, Cookies, or other parts that would be vulnerable. It goes together with the part name to bring more precisions to the report.
      • Part name
      cwe_3
       
      • Payload - This metadata refers to a crafted piece of data or code sent to a target system to trigger a specific response or exploit a vulnerability. It is necessary for teams to understand and reproduce the bug.
      cwe_4
      • Technical environment - This field is dedicated to listing the tools you used to find this bug (OS, browser, hunter's tools) and their respective versions. This is useful for teams to properly reproduce the bugs.
      • Application fingerprint (optional) - Metadata to precise the application(s)' fingerprint.
       
      • Common Vulnerabilities and Exposures (CVE) (optional) - If the bug your discover is linked to a CVE, precise its unique identifier here by following this pattern: CVE-[Year]-[Number]. (e.g., CVE-2024-38874)
      • Impact (optional) - This dropdown menu enables you to link the bug you discovered to its main impact. This helps organisations understand better the underlying risks and assess the bug accordinglycwe_5
      • IP used - This last metadata refers to the IP(s) you used when finding the bug. A "Get my IP" button will fill-in this field automatically when clicked on it; assuming you are still on the same IP address you used.
      metadata_3
       
      These fields can be leveraged to automatically generate a report title that will follow this format:
      • $CVE_ID $BUGTYPE_short on $SCOPE through $ENDPOINT via $VULNERABLE_PART $PARTNAME leads to $IMPACT
      • The auto-generation requires at least $BUGTYPE and $SCOPE to be filled.
      • Titles can still be manually entered and generated titles can be edited.
      metadata_4 - Copy