Writing impact of a report

This is also an important factor in a bug bounty report. At this point, the security team has a clear idea about the vulnerability and they are aware that the threat is significant. By adding in your report, the impact of this vulnerability would help them escalate this to higher levels if needs be.

Bear in mind that the report goes through different people and the program owners have to convince the developers that the vulnerability is something worth fixing. Adding a real-world impact statement greatly helps in that and it also helps the reader of the report understand what the vulnerability is all about. The best way to help the development team understand the vulnerability and its severity and also get a good bounty is to add the impact section in your report.

Consider yourself as one of the program owners and assume what is best for them. If it's a fintech company, if the vulnerability you found exposes financial data, you should highlight that. If it's a Health Tech company and the vulnerability you found exposes patients' data, you should highlight that. That being said, you should never push your report or make it sound like it is emphasizing too much. That will result in poor delivery. Always know that there is a fine line between everything.