All Collections
Pentest Reporting
Pentest Reporting

Effective communication of findings is essential for the success of a pentest

Updated over a week ago

Effective communication of findings is essential for the success of a pentest. At HackerOne, our reporting process combines various components to ensure you receive comprehensive insights and are poised to implement corrective measures. With our detailed reporting approach, we guarantee that you will gain a comprehensive view of their security landscape, empowering them to respond with timely precision to any vulnerabilities.

Real-time Findings

  • Vulnerabilities are reported in real-time through our platform, ensuring that you are always up-to-date with ongoing assessments.

  • We encourage pentesters to report vulnerabilities as soon as they are identified, providing you with the most current view of your asset's security state.

  • While individual pentesters might have their own unique methodologies, the real-time reporting mandate ensures a uniform experience for our customers.

Vulnerability Reporting Standards

Each vulnerability identified by a pentester is reported through the designated pentesting program. Some exemplar best practices and findings we frequently report include:

  • Cookies lacking secure/http only attributes.

  • Usage of weak TLS protocols and ciphers, such as enabling TLS 1.0 or 1.1, which can result in PCI ASV Scan failures.

  • User account enumeration.

  • Clickjacking vulnerabilities.

  • Presence of outdated software with vulnerabilities, irrespective of public exploit availability.

  • Issues related to invalid certificates, including those that are expired or self-signed.

  • Self XSS or HTML Injections.

  • Weak password policies.

  • Absence of rate limiting.

  • Use of insecure methods like Debug or Trace.

  • No account lockout mechanism, making assets susceptible to brute forcing.

  • Non-impactful information disclosures like software version revelations or stack traces.

  • Communication through cleartext services like FTP, HTTP, or TELNET, even without tangible impact proof.

  • Exposure of management consoles, whether web-based or SSH.

  • Missing security headers.

Integration Capabilities

Our platform offers built-in integrations that allow you to send findings directly to your preferred issue trackers and vulnerability management software. Please check the product documentation for more information on Supported Integrations.

Real-time Communication

We prioritize seamless and efficient communication to ensure the success of our pentests. Slack serves as our main communication hub. For real-time, synchronous interactions, pentesters can utilize Slack's Video and Audio calling features.

For each pentest, there are two distinct Slack channels:

  • Customer Channel: This channel includes both the customer contacts and the HackerOne team.

  • Pentester Channel: Exclusive to the HackerOne team, this channel provides a space for internal discussions.

  • We encourage all involved parties to actively participate and utilize these channels for a streamlined pentesting experience.

ℹ️ The Value of Real-time Pentester Communication

Once testers are approved, they gain Slack access, enabling them to communicate directly with customers and relevant HackerOne staff within shared channels. Our pentest community manager remains readily available for queries and discussions. This exclusive access empowers our pentester community as well as customer teams, fostering continuous feedback on findings, direct assistance, and consistent high-quality results.

In such time-sensitive engagements, real-time communication and trust are crucial, as any delay can significantly affect outcomes.

Did this answer your question?