The original post: /r/cybersecurity by /u/Conscious-Falcon-1 on 2024-11-16 23:29:43.

Hi all,

I am using a throwaway account. I recently joined a new organization that is used to ordering product pentests and getting reports that do not include details, such as the steps to reproduce to exploit the vulnerability, or the CVSS score.

This has led the development team, unable to reproduce the vulnerability, to accept the finding and severity as-is from the report, and adding every finding in the backlog - with its reported severity level.

This has worked so far because few pentest were ordered. But now we are significantly increasing the number of yearly, and post important change pentests

In my previous experience, pentest findings contained detailled steps to reproduce as well as the CVSS 3.1 vector.

Before giving the report to product teams, there was a vulnerability assessment step to review the real severity of the findings (using the details of the report and our own, better knowledge of the business logic) and more often than not, each finding would have its severity level decrease. We would do it by adjusting the CVSS (on the conditions required to exploit or impact on CIA usually). Or we would realize that it was a false positive.

This step was really important, because following this assessment, the list of findings given to the product teams would be much smaller, and the timeline SLA to address a finding would be longer.

I was wondering what is the community’s take on this. I can see the value of the reassessment, because a lot of time is saved downstream by requiring less work from the product team and giving them more time as well.

Can I enforce in the contract with the pentesters, to require more details in the findings, including CVSS score vector and step by step instructions to exploit the weakness? I am curious about your take on this.