My first real Vulnerability Disclosure Program report got no reply. That was fine, because the report was the point.
Two disciplines I hold harder than any technique:
Scope is not a suggestion. Before a single request, I read the program rules twice: what's in scope, what's explicitly out, what testing is allowed, what's forbidden. Authorized passive recon only, until I'm certain. The bright legal line between "research" and "crime with extra steps" is exactly the program's scope, and I intend to stay on the correct side of it for the rest of my life.
Finding the bug is half the work; proving it is the other half. A vulnerability nobody can reproduce isn't a finding, it's a story. A good report is boring on purpose:
- One clear sentence: what the bug is and what it lets an attacker do.
- Exact, minimal, copy-pasteable reproduction steps.
- Realistic impact, not the theoretical worst case, the actual one.
- No exaggeration. If I'm unsure of severity, I say so.
Anyone can stumble into a bug. The thing that makes you worth listening to is explaining it so precisely that the person on the other side can fix it without sending a second email. The dopamine is the shell. The deliverable is the writeup.