Skip to main content

Vulnerability reports from Continuous pentesting

Learn more about the key information contained on Continuous pentesting vulnerability reports

Updated today

Introduction

YesWeHack provides a fully managed and continuous pentesting service.

Define the scope of what needs to be tested and your specific requirements, and YesWeHack will select the right pentesters and create tailored pentest campaigns.

Be notified of each new finding, and access an actionable report (including remediation guidance) through the platform.

ℹ️ To know how to manage your first vulnerability report from continuous pentest, click here.

Vulnerability Report’s overview

ℹ️ You will find your Vulnerability Reports in the Vulnerability Center, whether they are coming from continuous pentest or pentest campaigns.

A vulnerability report contains all the important information you need to properly assess the bug and start your remediation process.

Starting with the report header, which includes:

  • The Report ID, taking the following format: #YWH-PGMXXXXX

  • The Report status - which is “Under review” when the report appears in the Vulnerability Center

  • The Title, which is a summary of metadata and bug impact and can be edited

  • The program name

  • The report submitter (ie., “YesWeHack_For_’Company'”. Note: Tags are added to the reports to define whether they come from ‘Continuous Pentest’ or a ‘Pentest campaign’.)

The right-end side panel helps you evaluate the risks:

  • Priority based on CVSS, Exploitability score, and asset value (as defined by organisations).

  • CVSS based on the Pentester’s report first, then updated with YesWeHack suggestions. The report always shows the latest updated score.

  • Asset value as indicated in the program’s scopes.

It also features key report’s data:

  • Report metadata, which are also used to generate the report’s title

  • Tag management system

ℹ️ Two report tags are included in reports from the Continuous Pentest services:

  • “Pentest Campaigns” – For scheduled pentests

  • “Continuous Pentest” – For ongoing security testing

Filter by them in the Vulnerability Center to easily manage your reports.

  • Tracking status

Bug description and report processing

The report starts with a bug description written by the Pentester. It contains:

  • a description of the vulnerability,

  • all information on how it can be exploited (including a reproducible proof of concept)

  • and remediation guidance.

Following the bug description, you’ll find the YesWeHack team assessment after they validated the issue.

ℹ️ All vulnerability reports from the Continuous Pentest service are reviewed and assessed by the YesWeHack Team before appearing in your Vulnerability Center, to streamline remediation.

At the end of the report description, for all vulnerability reports referring to a CVE, find a text block with the CVE details.

The bug report is followed by the comment thread where you can track the evolution of the report over time (e.g., comments, report status).

  • Messages visible to everyone will be tagged:

  • As well as messages only visible to your team:

ℹ️ For more information about the reports' workflow, check out our dedicated article.

Vulnerability report management

At the end of a vulnerability report, find a “quick actions” section to easily manage your report.

ℹ️ To know how to manage a continuous pentest vulnerability report (e.g., change the status, ask for a retest, send comment to your team), click here.

Related Articles
Manage your pentest campaigns
Pentest report management
Submitting a report as a Pentester
Vulnerability Reports
Manage my vulnerability reports from continuous pentesting
Did this answer your question?