InternalAllTheThings/docs/methodology/vulnerability-reports.md

52 lines
2.3 KiB
Markdown
Raw Normal View History

2023-11-17 11:56:44 +00:00
# Vulnerability Reports
## Summary
* [Tools](#tools)
* [Vulnerability Report Structure](#vulnerability-report-structure)
* [Vulnerability Details Structure](#vulnerability-details-structure)
* [General Guidelines](#general-guidelines)
* [References](#references)
## Tools
Tools to help you collaborate and generate your reports.
* [GhostManager/Ghostwriter](https://github.com/GhostManager/Ghostwriter) - The SpecterOps project management and reporting engine
* [pwndoc/pwndoc](https://github.com/pwndoc/pwndoc) - Pentest Report Generator
List of penetration test reports and templates.
* [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates
* [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups.
## Vulnerability Report Structure
* Executive Summary
* Security Findings and Recommendations
* Vulnerabilities (sorted by severity)
* Appendix (optional)
## Vulnerability Details Structure
* **Summary**: a concise introduction to the vulnerability, providing a snapshot of the issue and its potential reach..
* **Impact**: detailed insights into the potential business ramifications that could arise from exploiting this vulnerability.
* **Reproductions Steps**: a comprehensive, step-by-step walkthrough on how to replicate the issue,, complete with screenshots, HTTP requests or Proof of Concept code snippets.
* **Recommendations**: suggestions and best practices for addressing and resolving the highlighted issue.
* **References**: links to external content, documentation, and security guidelines, including resources like OWASP.
* **Severity**: Include a severity score like CVSS.
## General Guidelines
* Use a **Passive Voice Form**.
* **Obfuscate** the secrets: passwords, token, ...
* Add **caption** to all figures and pictures.
## References
* [Best Practices for Writing Quality Vulnerability Reports - Krzysztof Pranczk](https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27)
* [Overview of technical writing courses - Google Technical Writing](https://developers.google.com/tech-writing/overview)