NidFul Docs

Submitting High-Impact Reports

Craft reproducible reports, include local context, and collaborate with triage reviewers.

10 min readUpdated Oct 9, 2025For Hackers

Submitting High-Impact Reports

NidFul’s triage team and program owners depend on clear, reproducible, and contextualised reports. Follow this structure—refined through our most successful programs—to keep your signal strong.

Before You Submit

  • Re-read the program’s latest policy revision and confirm the asset is in scope.
  • Verify whether the issue was reported previously using the duplicate checker.
  • Gather supporting evidence: screenshots, request/response captures, and proof-of-concept payloads.

Report Structure

  1. Title – Clear and specific (e.g., “IDOR allows unauthorised airtime transfer on api.example.com”).
  2. Summary – One paragraph describing who is impacted and why it matters.
  3. Impact – Quantify the risk: data exposure, financial loss, regulatory implications.
  4. Steps to Reproduce – Numbered steps with environment details (device, OS, network conditions).
  5. Supporting Material – Attach logs, Burp Suite requests, or short screen recordings.
  6. Mitigation Ideas – Optional but appreciated, especially if local infrastructure introduces unique constraints.

Reference local regulations

Tie the vulnerability back to NDPR, POPIA, or other African laws when applicable. It helps organizations prioritise remediation.

Severity & CVSS

  • Provide a CVSS v3.1 vector if possible.
  • Highlight business impact particular to the region (mobile money abuse, SIM swap risk, etc.).
  • If unsure, flag the report as “Needs severity guidance” for NidFul triage to review.

Communication Best Practices

  • Respond to clarification requests within 24 hours when possible.
  • Use threaded comments for follow-up questions.
  • Update the report when new testing insights emerge—don’t open separate submissions for the same root cause.

Reward Timeline

  1. Acknowledged – Program confirms receipt (target: < 1 business day).
  2. Triaged – NidFul or program owners validate impact and assign severity.
  3. Resolved – Fix deployed, awaiting verification.
  4. Bounty Decision – Payment scheduled via your selected payout method.

Keep Your Signal High

  • Withdraw reports quickly if you discover they are false positives.
  • Share context on exploit feasibility; highlight prerequisites that reduce risk.
  • Respect program rate limits and don’t brute-force production assets.

After mastering submissions, review Payments, Taxes, and Compliance to ensure smooth payouts.