-
-
Notifications
You must be signed in to change notification settings - Fork 14.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
156990a
commit ed081d7
Showing
1 changed file
with
50 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| # Vulnerability Reports | ||
|
|
||
| ## Summary | ||
|
|
||
| * [Tools](#tools) | ||
| * [Vulnerability Report Structure](#vulnerability-report-structure) | ||
| * [Vulnerability Details Structure](#vulnerability-details-structure) | ||
| * [General Guidelines](#general-guidelines) | ||
| * [References](#references) | ||
|
|
||
|
|
||
| ## Tools | ||
|
|
||
| Tools to help you collaborate and generate your reports. | ||
| * [GhostManager/Ghostwriter](https://github.com/GhostManager/Ghostwriter) - The SpecterOps project management and reporting engine | ||
| * [pwndoc/pwndoc](https://github.com/pwndoc/pwndoc) - Pentest Report Generator | ||
|
|
||
| List of penetration test reports and templates. | ||
| * [reconmap/pentest-reports](https://github.com/reconmap/pentest-reports) - Collection of penetration test reports and pentest report templates | ||
| * [juliocesarfort/public-pentesting-reports](https://github.com/juliocesarfort/public-pentesting-reports) - A list of public penetration test reports published by several consulting firms and academic security groups. | ||
|
|
||
|
|
||
| ## Vulnerability Report Structure | ||
|
|
||
| * Executive Summary | ||
| * Security Findings and Recommendations | ||
| * Vulnerabilities (sorted by severity) | ||
| * Appendix (optional) | ||
|
|
||
|
|
||
| ## Vulnerability Details Structure | ||
|
|
||
| * **Summary**: a concise introduction to the vulnerability, providing a snapshot of the issue and its potential reach.. | ||
| * **Impact**: detailed insights into the potential business ramifications that could arise from exploiting this vulnerability. | ||
| * **Reproductions Steps**: a comprehensive, step-by-step walkthrough on how to replicate the issue,, complete with screenshots, HTTP requests or Proof of Concept code snippets. | ||
| * **Recommendations**: suggestions and best practices for addressing and resolving the highlighted issue. | ||
| * **References**: links to external content, documentation, and security guidelines, including resources like OWASP. | ||
| * **Severity**: Include a severity score like CVSS. | ||
|
|
||
|
|
||
| ## General Guidelines | ||
|
|
||
| * Use a **Passive Voice Form**. | ||
| * **Obfuscate** the secrets: passwords, token, ... | ||
| * Add **caption** to all figures and pictures. | ||
|
|
||
| ## References | ||
|
|
||
| * [Best Practices for Writing Quality Vulnerability Reports - Krzysztof Pranczk](https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-119882422a27) | ||
| * [Overview of technical writing courses - Google Technical Writing](https://developers.google.com/tech-writing/overview) |