Browse docs
docs / 03

Writing a Great Report

Required fields, proof-of-concept standards by asset type, and what gets reports rejected.

A clear, reproducible report is the difference between a fast payout and a rejection. Triage reproduces your finding before it reaches the project, so give them everything they need to confirm it.

#Required fields

Every submission should include:

  • Title — a concise summary of the issue.
  • Asset — the affected asset or component (must be in scope).
  • Proposed severity — your assessment (Critical / High / Medium). Triage sets the final severity.
  • Description — the nature of the vulnerability.
  • Steps to reproduce — precise, ordered steps.
  • Proof of concept — see standards below. A working PoC is mandatory.
  • Impact statement — what an attacker can actually achieve.
  • Suggested remediation — optional, but appreciated.

Submissions missing required fields are auto-rejected before review.

#Proof-of-concept standards by asset type

The bar depends on what you're testing:

  • Smart Contracts — a runnable PoC against a local fork. This is strict: steps and logs alone are not enough.
  • Blockchain / DLT — a runnable local PoC is mandatory; written steps and logs alone are insufficient.
  • Web & Apps — reproducible steps with supporting evidence: screenshots, screen recordings, and/or HTTP request/response traces.

Never test against mainnet or a public testnet. PoCs must run on a local fork only — even a minimal PoC on a public testnet can leak the bug. Public exploitation is a serious violation that can result in a permanent ban. See Publication & Disclosure.

#How severity is decided

Severity is driven by real-world impact, not just whether your finding matches a rule on paper:

  • A finding with greater real-world impact than its rule-classified level can be elevated.
  • A finding that matches scope on paper but demonstrates no real-world impact (for example, vulnerable code that isn't live) may be downgraded or declined.

Lead with impact. Show exactly what an attacker gains — funds at risk, data exposed, control gained — and back it with your PoC.

#First to report wins

The first valid report of an issue earns the reward; duplicates earn nothing. A duplicate is the same root cause or vulnerable code path as an earlier valid report — not merely similar symptoms. The earliest valid submission wins.

#Why reports get rejected

Common rejection reasons:

  • The PoC doesn't work or isn't reproducible.
  • The target is out of scope.
  • It's a duplicate of an earlier valid report or a declared known issue.
  • No real issue / invalid.
  • Spam or low-quality submissions (no real PoC, fabricated, or auto-generated filler).

A short, vague report is far more likely to be closed. If your description or PoC looks thin, expand it before submitting — the platform will warn you when a report looks too short.

#Submission limits

To keep the queue healthy, each researcher may have up to 8 active reports at once and submit up to 5 new reports per 48 hours. Reports that have reached acceptance, payment, or a terminal state no longer count against your active limit.