InternalAllTheThings/docs/methodology/vulnerability-reports.md

Vulnerability Reports

Summary

• Tools
• Vulnerability Report Structure
• Vulnerability Details Structure
• General Guidelines
• References

Tools

Tools to help you collaborate and generate your reports.

• GhostManager/Ghostwriter - The SpecterOps project management and reporting engine
• pwndoc/pwndoc - Pentest Report Generator

List of penetration test reports and templates.

• reconmap/pentest-reports - Collection of penetration test reports and pentest report templates
• juliocesarfort/public-pentesting-reports - A list of public penetration test reports published by several consulting firms and academic security groups.

Vulnerability Report Structure

• Executive Summary
• Security Findings and Recommendations
• Vulnerabilities (sorted by severity)
• Appendix (optional)

Vulnerability Details Structure

• Summary: a concise introduction to the vulnerability, providing a snapshot of the issue and its potential reach..
• Impact: detailed insights into the potential business ramifications that could arise from exploiting this vulnerability.
• Reproductions Steps: a comprehensive, step-by-step walkthrough on how to replicate the issue,, complete with screenshots, HTTP requests or Proof of Concept code snippets.
• Recommendations: suggestions and best practices for addressing and resolving the highlighted issue.
• References: links to external content, documentation, and security guidelines, including resources like OWASP.
• Severity: Include a severity score like CVSS.

General Guidelines

• Use a Passive Voice Form.
• Obfuscate the secrets: passwords, token, ...
• Add caption to all figures and pictures.

References

• Best Practices for Writing Quality Vulnerability Reports - Krzysztof Pranczk
• Overview of technical writing courses - Google Technical Writing