Reporting
After finishing your penetration testing activities, you will need to create a report. People tend to copy and paste from the tools' (Burp, Nessus, and so on) auto generated reports. This is what differentiates an amateur from a professional: the latter will make sure to verify the false positives and re-evaluate the scoring of a vulnerability. In this section, I will show you how to evaluate the scoring of your findings, and after that, I will share a template that you can use to get ideas for your future reporting activities.
Common Vulnerability Scoring System – CVSS
The Common Vulnerability Scoring System (CVSS) v3 came out a while ago, as an enhancement for CVSS v2. The big question is: why do you need to calculate it, if it's already done by the tool (for example, Burp)? Let me give you an example. Suppose that you have found an SQL Injection vulnerability, and the report tells you that the score is high. In reality, the server that was tested was disconnected from the internet...