Hackers notify you of vulnerabilities by submitting reports to your inbox. Not all great vulnerability reports look the same, but many share these common features:
Detailed descriptions of the hacker's discovery with clear, concise reproducible steps or a working proof-of-concept (POC). If the hacker doesn't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone.
Screenshots and/or videos can assist your security teams to quickly reproduce the issue if your program accepts them. Make sure you state your policy regarding screenshots and videos on your security page and scope as not all programs accept them.
Here are some examples of publicly disclosed examples of good reports:
Some great resources for vulnerability report best practices are: