From Bug to Signal — Writing Useful Security Reports

2025-07-10

The job isn’t just finding issues — it’s communicating risk clearly.

Narrative

Start with impact, then minimal repro, then precise fix guidance. Engineers should be able to copy/paste and reproduce within minutes.

Minimal Repro

# CSRF-able endpoint with predictable token
curl -X POST https://example.com/api/change-email \
  -H 'Content-Type: application/json' \
  --data '{"email":"attacker@evil.tld"}' -b session=abc

// Quick origin check in code
function isSameOrigin(url){
  try{ const u = new URL(url, location.href); return u.origin===location.origin }catch{return false}
}

Recommendation: enforce same-origin on state-changing requests; rotate CSRF tokens per-request when feasible.

Attachments

Screenshots, logs, or HAR files

Version info and feature flags

Risk matrix callout if helpful

Done right, this reads like a tiny design doc for security decisions.