A triage-optimized bug bounty report template with steps to reproduce, impact analysis, and proof-of-concept sections — formatted for HackerOne, Bugcrowd, and Intigriti. Free to download or generate with PoCcraft.
A strong bug bounty submission includes: concise summary, clear steps to reproduce, demonstrated impact, proof of concept, and suggested severity. This template is structured for fast triage on HackerOne, Bugcrowd, and Intigriti.
Generate your submission
Paste your PoC — PoCcraft drafts a triage-ready bug bounty report with steps, impact, and severity in platform-friendly Markdown.
Generate your report freeTriagers need to validate quickly: what the bug is, where it lives, how to reproduce it, and what an attacker gains. Lead with a one-paragraph summary and suggested severity before technical detail.
Numbered, minimal steps that any engineer can follow. Include exact URLs, parameters, and account states. Avoid assumptions — if login is required, say so upfront.
Explain real-world consequences: data exposure, account takeover, privilege escalation, or financial loss. Tie impact to business risk so severity discussions move faster.
Include HTTP requests, payloads, screenshots, or short video references. A working PoC separates valid reports from theoretical ones. Use CVSS 3.1 when platforms expect a scored severity per FIRST.
# Bug Bounty Report — [Program Name] **Asset:** [URL / scope item] **Report date:** [YYYY-MM-DD] ## Summary [One paragraph: what, where, and why it matters.] ## Severity **Suggested severity:** High **CVSS 3.1:** 8.1 — `CVSS:3.1/AV:N/AC:L/...` ## Steps to Reproduce 1. Navigate to `[URL]` 2. [Action] 3. [Observe impact] ## Proof of Concept ```http [Request/response or payload] ``` ## Impact [What an attacker can do.]
Use PoCcraft as your bug bounty reporting tool — paste your PoC, pick the bug bounty template, and export a submission-ready report in minutes.
Open the generator