A quick tool for generating quality bug bounty reports. View an example report.
Reflected Cross-Site Scripting (XSS) on Page foo Request Variable bar
Reflected Cross-Site Scripting (XSS)
Stored Cross-Site Scripting (XSS)
DOM Based Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Local File Inclusion
Remote File Inclusion
XML External Entity Injection (XXE)
Broken Authentication and Session Management
Insecure Direct Object References
Sensitive Data Exposure
Missing Function Level Access Control
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
I recommend using direct links to images uploaded on imageshar.es or imgur.
If applicable, include source code. e.g. a sample size of code around the injected XSS. This helps identify the location of the vulnerability in their templating or project source code.
Include relevant information such as stipulations that are good to know that are not included in the steps and/or OWASP articles explaining vulnerability and possible solutions.
This is vulnerable because the user input is not encoded when displayed back in the page request body.
You can find more information on XSS here: