As an ethical hacker your final goal is to submit a report describing a vulnerability you have found on an asset. Ih this article we aim to talk a little bit more in detail on how you should submit a finding in Ethiack.
We do not have a lot of rules to follow, but we have a structure that we recommend you to follow in order to be more clear, precise and easy to understand by our customers.
In Ethiack we follow a report structure that is divided in five sections:
- Title
- Short but accurate.
- Your title may point for the vulnerability name and the asset where it was identified.
- Description:
- Here we want you to describe briefly the vulnerability that you found and how it can impact on the organization.
- Steps to reproduce:
- Describe every step that allows the customer to reproduce it.
- Describe your way of thinking. Which steps do you make to find the vulnerability?
- This is one of the most important aspects of your report, describing your way of thinking helps customers to understand the vulnerability clearly.
- Impact:
- In this case, the aim is to be purely technical and non-judgmental.
- Try to enlighten the client describing the possible seriousness of the situation.
- Suggested mitigation:
- Taking into account the vulnerability, the context and the technologies involved, please suggest a mitigation that is able to successfully mitigate the vulnerability within the knowledge you have acquired of the affected system.
Additional Notes:
- You should select the asset where the vulnerability was found in a precise way to help the customer easily identify the vulnerable system.
- You should submit a severity for that finding, which may suffer some updates after the triaging phase. In order to be the most standard possible we recommend you to use the CVSS calculator.
- Be clear, accurate and try to make your finding easy to read.
- Focus on the technical part and make your information helpful to the reader.