As a bug hunter at Cobalt, HackerOne and BugCrowd I always try do my best to give programs the best information needed to understand the security report.
Sometimes I notice that some public disclosures on HackerOne have just two or three paragraphs like:
You guys don’t have SPF header on your mail server.
Check it online here: …
If I was the program manager I would categorize this like “WTF” bug or something. Not for the vulnerability itself but because the lack of information and effort by the bug hunter. You need to sell your service. You need to show the program that you care and you know what you are talking about. Treat the program like your client.
Sometimes this make the difference between earning kudos and earning money.
Elaborate the security vulnerability as much as possible and describe possible attack scenarios. Screenshots and videos are always a bonus.
Also show the “client” clear solutions for their problem.
Hey this is just a small tip… Hope it makes difference on your future reports!