52 lines
2.3 KiB
Markdown
52 lines
2.3 KiB
Markdown
|
# Vulnerability Reports
|
||
|
|
||
|
## Summary
|
||
|
|
||
|
* [Tools](#tools)
|
||
|
* [Vulnerability Report Structure](#vulnerability-report-structure)
|
||
|
* [Vulnerability Details Structure](#vulnerability-details-structure)
|
||
|
* [General Guidelines](#general-guidelines)
|
||
|
* [References](#references)
|
||
|
|
||
|
|
||
|
## Tools
|
||
|
|
||
|
Tools to help you collaborate and generate your reports.
|
||
|
|
||
|
* [GhostManager/Ghostwriter](https://github.com/GhostManager/Ghostwriter) - The SpecterOps project management and reporting engine
|
||
|
* [pwndoc/pwndoc](https://github.com/pwndoc/pwndoc) - Pentest Report Generator
|
||
|
|
||
|
List of penetration test reports and templates.
|
||
|
|
||
|
* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates
|
||
|
* [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups.
|
||
|
|
||
|
|
||
|
## Vulnerability Report Structure
|
||
|
|
||
|
* Executive Summary
|
||
|
* Security Findings and Recommendations
|
||
|
* Vulnerabilities (sorted by severity)
|
||
|
* Appendix (optional)
|
||
|
|
||
|
|
||
|
## Vulnerability Details Structure
|
||
|
|
||
|
* **Summary**: a concise introduction to the vulnerability, providing a snapshot of the issue and its potential reach..
|
||
|
* **Impact**: detailed insights into the potential business ramifications that could arise from exploiting this vulnerability.
|
||
|
* **Reproductions Steps**: a comprehensive, step-by-step walkthrough on how to replicate the issue,, complete with screenshots, HTTP requests or Proof of Concept code snippets.
|
||
|
* **Recommendations**: suggestions and best practices for addressing and resolving the highlighted issue.
|
||
|
* **References**: links to external content, documentation, and security guidelines, including resources like OWASP.
|
||
|
* **Severity**: Include a severity score like CVSS.
|
||
|
|
||
|
|
||
|
## General Guidelines
|
||
|
|
||
|
* Use a **Passive Voice Form**.
|
||
|
* **Obfuscate** the secrets: passwords, token, ...
|
||
|
* Add **caption** to all figures and pictures.
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [Best Practices for Writing Quality Vulnerability Reports - Krzysztof Pranczk](https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27)
|
||
|
* [Overview of technical writing courses - Google Technical Writing](https://developers.google.com/tech-writing/overview)
|