Your bug is real. Your report reads like ChatGPT. That's why it got closed.

2026-06-13

Here’s the part of bug bounty nobody puts in the onboarding doc. In 2026 a triager’s first decision isn’t “is this bug real.” It’s “is this person about to waste my afternoon.” They make that call in roughly ten seconds, off the shape of your writing, before they’ve read one line of your PoC. Write in the shape of AI slop and you start every report already in the hole. A strong bug can climb out. A borderline one gets shovelled in with the spam, and honestly, fair enough.

So I write reports specifically so that never happens. Not because my bugs need the help, but because a real finding filed in chatbot-shape gets read like a fake one, and I’m not in the habit of handing a triager the excuse to close me. What follows is the checklist I actually run before hitting submit, taken apart tell by tell.

This isn’t about whether you used a model to draft the thing. Nobody cares. It’s about whether the output still smells like a machine did it for you.

Why the bar moved

Two years ago a clean, well-structured report meant you cared enough to write one. Today it means you found the “generate” button. Same polish, opposite signal: the specific flavor of tidy that LLMs produce now reads as “pasted a request into a chatbot and forwarded whatever fell out, comprehension optional.”

Triagers adapted, because of course they did. They built mental filters, crude ones, the kind that catch your good report in the same net as the forty pieces of garbage that landed before lunch. They are not going to apologize and they are not going to stop, because the spam is real and the queue is not getting shorter. So you route around the filter. That’s the whole game, and sulking about how unfair it is just a slower way to lose.

The tells

Em-dashes

The loud one. The em-dash, that long elegant dash, is everywhere in model output and nearly extinct in how working hackers actually type at 1am. It is not a grammar crime. It is a tell, and there’s no trophy for punctuation, so stop carrying the flag that gets you searched.

Find every one before you send. The count should be zero. A comma, a period, a colon, or a plain hyphen all do the job, and not one of them whispers “I was generated.”

Preemptive defense sections

You know the ones. “Why this is not a duplicate.” “Why this is not informational.” “Testing scope and harm avoidance.” A whole paragraph rebutting an accusation nobody has made yet, like arriving at dinner already apologizing for the meal.

It reads as nerves, and worse, as compliance theater, the throat-clearing a model bolts on to cover itself. Confident humans don’t pre-litigate. If severity genuinely needs a sentence of context, give it one sentence inside Impact, not its own heading and a candle.

The wall of self-restraint

I did not crack the hash. I did not call any write methods. I did not enumerate other users. I did not exfiltrate data. I did not pivot to other hosts. I limited my testing to a single account…

Six bullets of things you heroically declined to do. Models adore this because it pattern-matches to “responsible.” A human reads it as someone explaining at length that they did not rob the bank they walked past. If it matters at all, one line at the end of Impact covers it: “Did not invoke write methods or crack the hash.” Curtain.

Defensive severity hedging

CVSS 3.1: 7.5 (High by calculator, but rated Medium here because the affected endpoint requires authentication and…)

Pick a number. Stand behind it. The triager can downgrade you, that is literally the job, and one downgrade is not a black mark. Arguing yourself down from High to Medium inside your own report is a magic trick where the disappearing rabbit is your credibility.

Academic vocabulary in a vuln report

“This demonstrates a differential in the authorization primitive.” “As a negative control, I issued the same request…” “This is a non-trivial finding.”

Nobody talks like this with their hands on a keyboard. You ran the request, you got a different answer, so say that: “the same endpoint returns 200 for the comment but 403 for the post.” Concrete and flat beats academic and inflated every time. “For comparison,” not “as a negative control.” “The same handler,” not “the identical dispatch primitive.” You’re filing a bug, not defending a thesis.

The CVE garnish

This pattern is associated with several known issues (CVE-2023-XXXXX, CVE-2024-YYYYY, CVE-2025-ZZZZZ).

Three CVEs in parentheses, loaded in for ballast. One relevant CVE earns its spot. Three is seasoning, and any triager who knows the area can tell you went shopping. It reads less like research and more like a kid wearing his dad’s blazer to the interview.

Frontmatter cosplay

The over-formal header block. Severity: … CVSS: … Asset: … CWE: … Date: … Reporter: … Environment: … Methodology: … eight fields of ceremony before a single word about the actual bug. The platform already has boxes for most of this. You’re not documenting, you’re performing rigor. Four lines, then get to the point.

Everything the same length

Three bullets, identical shape: subject, verb, object, “allowing an attacker to” consequence. Then three more cut from the same bolt of cloth. Real writing has a pulse. Long sentence, then a short one. A fragment, occasionally. When every line is the same width on the page, a machine laid the bricks, and the reader feels it before they can name it.

What the other direction looks like

You don’t fix this by sprinkling in typos like you’re distressing a pair of jeans. You fix it by writing like someone who did the work and is telling another person what they found.

• First person, where it’s true. “I checked whether the token survived logout. It did.” Models flinch at “I.” You shouldn’t.
• Short sentences next to long ones. Vary it. Read it out loud; if it drones, break it.
• Plain talk. “The hash should be considered burned.” “The attacker no longer has to guess where the files live.” “That check just doesn’t run on this method.” That’s how hackers describe things to each other, minus the thesaurus.
• Concrete over abstract. Real method names, real values, real paths. Not “various sensitive endpoints,” the actual one. Specificity is the strongest human signal there is, precisely because the spam can’t fake it: it doesn’t have your PoC.
• Short mitigation. Two to four lines. They know how to fix an auth check. They don’t need a five-step recovery program with a workbook.

The pass I run before sending

Two minutes. Less than you just spent on the CVSS calculator.

1. Count the em-dashes. If it isn’t zero, you have homework.
2. Check the length. One bug, no chain, has no business running a hundred lines. If it does, it’s padding, or it’s secretly two bugs sharing a trenchcoat.
3. Read it out loud. If it sounds like a research paper or a compliance memo, rewrite the worst paragraph the way you’d explain the bug to a friend who hasn’t had coffee yet.
4. Delete any section that opens with “Why this is not,” “Testing scope,” or “Harm avoidance.” It was never helping.

That’s it. None of this turns a weak bug strong; nothing does. What it does is stop a strong bug from getting filed under “AI spam” before anyone reads the part that matters. The bar moved while you were itemizing CVSS. The fix costs two minutes. The alternative costs you the read.

If you write reports for a living and you’ve got tells I missed, I want to hear them. Bring receipts.