# Reporting

This a guide for drafting an application assessment report

#### Introduction

* [ ] Objective
* [ ] Scope
* [ ] Schedule
* [ ] Targets
* [ ] Limitations
* [ ] Findings Summary
* [ ] Remediation Summary

#### Executive Summary

* [ ] Stick to facts
* [ ] Provide an overview of the assessment's timeline, goals, and the results
* [ ] Focus on High and Critical Findings
* [ ] Avoid Fear, Uncertainty and Doubt (FUD)
* [ ] Maximum of 1 page
* [ ] Use concise bullet for most important details (optional)
* [ ] Include controls that can be identified as a root cause for findings
* [ ] Ensure that the audience can actually perform recommendation

#### Findings

* [ ] Include description of vulnerability
* [ ] Remediation Steps
* [ ] Steps to reproduce PoC
* [ ] List each affect path and parameter
* [ ] Include screenshots, commands and code snippets
* [ ] Group findings by severity
* [ ] Include a checklist of controls that were tested (Best for reports minimal findings)

#### Appendices

Include an appendix for the following situations:

* [ ] Documenting Authorization letters
* [ ] Findings with a lot of parameters/information
* [ ] Listing enumerated usernames or guessed passwords
* [ ] Long command/code output
* [ ] Data exfiltrated from the application during exploitation
* [ ] Including key project information such as scope limitations