Writing reports
What can you find in this section
Writing a detailed bug bounty submission helps us triage and investigate your report faster so we can determine more efficiently whether your submission is eligible for a reward. It also reduces the time the vulnerability you may have found is present in our services.
In this section you will find:
Guidelines on what elements you should include in your report
Best practices on writing reports
Examples of reports for various types of vulnerabilities we have received through our Bug Bounty program. Please note that all examples shared on this page are fictional
IDOR
XSS
Rate limit
Great reports make a great program
Our Bug Bounty program receives a large volume of reports every day. Our team manually reviews each report. Whether or not your report is valid under our Bug Bounty program, a well-written report allows Facebook to triage a potential issue efficiently and help you get a response as quickly as possible.
Well-written reports improve your experience, and the overall program by:
Reducing the time we need to verify a bug submission and reproduce a potential issue
Enabling us to award bounty payouts more quickly
Limiting the time that a valid vulnerability is present in our service
What to include in your report
In order for us to efficiently triage your report, we ask you to include the following:
A title that clearly describes the issue
Your title should describe the vulnerability you found, not its impact or reproduction steps
A concise description of the vulnerability should answer the following questions:
What product or feature does the issue affect?
Why do you think this is a vulnerability?
What is the actual impact of the vulnerability?
Setup & reproduction steps:
Both your setup and reproduction steps should match what you used during your own testing
Include a FBDL run, even if you weren’t able to reproduce the issue with Bug Bounty test users
