Finally, at the end of testing, it is necessary to report your findings to the client. It's important to ensure that the report matches the quality of your testing. As the client will only see the report, you have to give it as much love and attention as you do to your testing. The following is a guideline to the layout of the report:
- Management summary
- Technical summary
- Findings:
- Vulnerability description
- Severity
- Affected devices
- Vulnerability type—software/hardware/configuration
- Remediation
- Appendices
The management summary should be aimed at talking to a senior nontechnical audience with a focus on the effects and mitigations required at a high level. Avoid language that is too technical and ensure that the root causes are covered.
The technical summary should be a midpoint between the management summary and findings list. It should be aimed at a developer or a technical lead with a focus on how to fix the issues and broad solutions that could be implemented.
The findings list should describe each vulnerability at a low level, explaining the methods to identify, and replicate, and vulnerabilities.
Appendices should contain any extra information that would be too long to describe in a short description. This is where any screenshots, proof-of-concept code, or stolen data should be presented.