Achieve Success with Your Vulnerability Report
Learning Objectives
After completing this unit, you’ll be able to:
- Explain the elements of a great Salesforce vulnerability report.
- Define the five vulnerability report statuses.
Successful Vulnerability Reports
The most important factor to your success as a Salesforce hacker is submitting a high-quality vulnerability report. A high-quality report means that the submitted vulnerabilities must be specific, reproducible, and actionable.
When creating a vulnerability report, ask yourself: What information would I need to be able to reproduce this vulnerability, never having seen it before? Your report should include:
- Title that clearly describes the issue
- Your IP address
- Testing start date
- Affected product or feature
- URL associated with the bug (to the best of your knowledge)
- List of steps to reproduce the vulnerability
- Summary of the bug’s business impact
- Role of who can initiate the attack (admin/standard user)
- Backup documentation (screenshots, videos, and so on)
Vulnerability Report Statuses
Once submitted, researchers can track their vulnerability report through its lifecycle by viewing the report status field in Hackforce or via updates in Chatter. The bug bounty triage team and researchers communicate via Chatter if additional information is needed, to discuss why a specific status is selected, or to provide updates about a report. The five statuses used for reports are New, Needs More Information, Triaged, Closed, and Duplicate. Each status is shown with an explanation.
Hackforce Status | What It Means | How It’s Applied |
|---|---|---|
New | Report was recently submitted and is pending Salesforce response. | A report remains in the “New” state until a member of the bug bounty triage team acknowledges the submission and assigns it to a designated triager. |
Needs More Information | Additional information is needed from the researcher before being accepted. | This returns the report to the researcher, and no further action can be taken by the bug bounty triage team until the missing information is provided. |
Triaged | Salesforce was able to reproduce the issue, accepts the issue as a vulnerability, and will implement a fix. | The report remains in the Triaged state until the developers review and fix the vulnerability. The bug bounty team awards the researcher for their work based on the bounty table amount at the time of submission. |
Closed | Closed - Fixed: Salesforce has remediated the bug. | Salesforce rewards the researcher for their work in accordance with the bounty amount indicated at the time of submission. |
Closed - Informative: Salesforce has determined the submission has no security impact. | An explanation is provided to the researcher via Chatter, and since there is no action required from the submission, there is no corresponding bounty award. | |
Closed - No Fix - will not fix: Salesforce will not fix the reported vulnerability because it was erroneously reported. | ||
Closed - No Fix - working as documented: The reported issue is working as documented and is not a security issue. | ||
Duplicate | The bug was already submitted by a security researcher or found internally before this submission. | An explanation is provided to the researcher via Chatter and general details about the previously discovered vulnerability if possible. Bounties are not awarded for duplicate reports. |
The details outlined in the table are meant as general guidelines. The decision of when to grant a reward, and its value, is entirely at Salesforce’s discretion.
Remediation
If the report is accepted as a security bug and assigned the Triaged status, the Engineering team will pursue remediation efforts according to the priority of the bug.
Successful bug hunting for Salesforce starts with a great vulnerability report. How can hackers maximize their earnings? Coming up, let’s learn about the rewards of targeted research campaigns.
