Recently, I’ve been doing a lot of penetration test reports. It’s given me lots more insight on forming a better report, my initial reports were subpar at-best now that I’ve done dozens of them. I thought I’d make this post and share some tricks I’ve learned along the way, and things to avoid. Here’s what I’ve got down so far!
- Use relaxed language for summaries
- Not only describe a vulnerability or hole, demonstrate it in a safe manner
- If you cannot demonstrate a vulnerability in a safe manner, describe it and provide a proof of concept, indicate you elected not to test it due to risk of <X> happening (eg, crash, segfault, taking down production environments, etc)
- Add your responsible disclosure policy in the report (eg, 90 days from closure of the report unless agreed upon otherwise)
- If you’d like compensation for the report (eg, swag/monetary compensation), let the company know if they can provide it would be appreciated, however, do not demand compensation (it never ends well)
- Be friendly when communicating
- Assume everyone knows what you’re talking about — provide examples and explain the topic/concept clearly so it can be followed and understood with minimal learning curve (not everyone has the same skill-set)
- Make it too long — as someone who’s had to read and write dozens of reports, if you’ve included 15 pages of “what-ifs” most of the times the reader will skip over and look for keywords or proof of concepts of actual vulnerabilities, not conditionals and possibilities
- Assume you know your targets infrastructure and layout — yes, lots can be shown from the public, but unless you’re actually on the inside, you probably won’t fully grasp how every internal system works
- Be egotistic — If your report comes off as overly egotistic, cocky or threatening, you usually nullify the possibility of getting any reward from organizations
Remember to have fun, being an ethical hacker is important and helps secure the organizations. Don’t be afraid to label yourself an ethical hacker instead of a security researcher, in my books they’re identical, you’re doing an action for the greater good and to protect applications/peoples digital security.
When you’ve drafted your public disclosure, and the timeline has exceeded or it’s agreed upon to disclose, remember to do your disclosure and notify the organization of the disclosure as a courtesy to them.
Keep ethically hacking!