title: "Quality Reports"

path: "/hackers/quality-reports"

You notify programs of vulnerabilities by submitting reports to the program's inbox. Not all great vulnerability reports look the same, but many share these common features:

* Detailed descriptions of your discovery with clear, concise, reproducible steps or a working proof-of-concept (POC). If you doesn't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone.

* Screenshots and/or videos can assist your security teams to quickly reproduce the issue if your program accepts them. Make sure the program states their policy regarding screenshots and videos on their security page and scope as not all programs accept them.

Here are some examples of publicly disclosed examples of good reports:

* [Twitter disclosed on HackerOne: URGENT - Subdomain Takeover](https://hackerone.com/reports/32825)

* [Shopify disclosed on HackerOne: Attention! Remote Code Execution](https://hackerone.com/reports/73567)

* [Square disclosed on HackerOne: Delayed, fraudulent transactions](https://hackerone.com/reports/38682)

Some great resources for vulnerability report best practices are:

* [Dropbox Bug Bounty Program: Best Practices](https://blogs.dropbox.com/tech/2015/08/dropbox-bug-bounty-program-best-practices-2/)

* [Google Bug Hunter University](https://sites.google.com/site/bughunteruniversity/)

* [A Bounty Hunter’s Guide to Facebook](https://www.facebook.com/notes/facebook-bug-bounty/a-bounty-hunters-guide-to-facebook/946955115318715)