How to Write a Good Vulnerability Findings Report

Defensive
How to Write a Good Vulnerability Findings Report

First of all, Happy Eid al Fitr 1440 H, please forgive any mistakes. Nothing in this world is perfect, including this writing.

Since the launch of the BSSN program titled V2DP or Voluntary Vulnerability Disclosure Program, many people have asked in discussion forums and social media groups about how to properly write a bug report after discovering a vulnerability. Here are a few tips from me on how to write a good report.

Provide an appropriate title

The title is the first thing people read. Therefore, write a title that represents the entire finding. For example: Stored XSS in Contact Admin, Unrestricted File Upload on Profile Picture Feature, and so on.

List all affected assets

In this section, write all assets impacted by the finding. These may include IP addresses, domains, hostnames, URLs, and others. The purpose is to help the application owner clearly understand which assets are vulnerable to the reported issue.

Provide a brief description of the finding

The description can include a general explanation of the vulnerability. For example, if the issue is XSS, explain that it occurs due to improper input validation, which allows JavaScript execution in the victim’s browser. This section usually also includes severity information and the CVSS score from the calculator.

Explain how to reproduce the finding

This section is usually quite detailed because the tester must explain step by step how the vulnerability can be reproduced by the validator from start to finish.

Describe the impact of the finding

This section explains the potential impact of the vulnerability on the organization’s systems or reputation. Commonly, the focus is on Confidentiality, Integrity, and Availability, but in some cases vulnerabilities may also significantly impact organizational reputation.

Provide remediation steps

This is a very important section because the tester must provide guidance or recommendations on how to fix or close the vulnerability. In some cases, the application owner may not know how to properly fix a specific issue, so the tester’s recommendation can serve as a reference or even the implemented mitigation.

Provide long term recommendations

This is rarely written but very helpful for organizations to prevent similar incidents in the future. It may include short term and long term recommendations such as changes in developer behavior, policy updates, CI/CD deployment improvements, or other preventive measures.

A good report produces good results. Therefore, write your report in detail and make it easy to understand so the reader does not become confused.