In this post we will go through the main rules and guidelines for reporting vulnerabilities, let's start with the rules:
- You can report a vulnerability only once.
- In a team, only one member can report a vulnerability, they will get points on their personal profile if it was approved and the team will get points too. However, that won’t add points to other team member’s personal profiles.
- If two team members report the same vulnerability, we will consider the first report.
- You can report as many vulnerabilities as you want in one host as long as each report is unique.
- You will get points for any approved vulnerability report regardless of what host it was found on (unless stated otherwise in other posts).
- We are not interested in reports saying this host isn’t vulnerable, either report a vulnerability or don’t, we won’t chase you down the street for not reporting vulnerabilities.
- Vulnerabilities in OWASP Shepard (free arena) might be awarded partial points.
- Vulnerabilities in our free arena hosts shouldn’t be reported unless we say they might have partial points.
- Changing the application or operating system configuration after exploiting a vulnerability might lead to losing the points from your report, please leave the applications and systems as you find them, don’t ruin the fun for others.
- Only the following vulnerabilities are accepted for now, we will keep updating this list and adding more attack vectors to it periodically but until then stick to the list:
How to Write A Vulnerability Report:
- Click on Report Vulnerability button from your dashboard.
- This form will show up:
3. Fill in the Server Address (IP Address for the server you are reporting a vulnerability on).
4. Add a detailed comment and proof of concept information.
5. Select the vulnerability type.
6. Click on report vulnerability.
The comment and/or PoC information are extremely important and helps us decide to either accept or reject your report, hence you should pay special attention to this field. Here are some tips on how to fill this field in a proper way:
- Describe how you found the vulnerability.
- Explain how the vulnerability works and how it can be exploited.
- Tell us how did you manage to exploit the vulnerability.
- Provide us with any information you managed to extract using the vulnerability or proof to us that you can use the exploit to break the security of the server (send us the SSH keys ).
- Taken screenshots, upload them to your favorite picture hosting website and add the link to the comments.
- Mention any other information you find interesting or useful.
An example of a good report
An example of a bad report
Please adhere to these rules and guidelines when reporting your vulnerabilities to avoid getting your reports rejected because lack of information. If you have any questions, post them in a comment and we will reply to you as soon as possible.
L.E. Don't know How To Write a Vulnerability Report?