Vulnerability Report Template

This template provides a structured format for documenting security vulnerabilities found during penetration testing, security assessments, or bug bounty programs. Use this for professional vulnerability disclosure and remediation tracking.

---

Report Information

Report ID: [VULN-YYYY-XXXX]
Date: [YYYY-MM-DD]
Reporter: [Your Name / Organization]
Target: [System / Application / Network]
Assessment Type: [Penetration Test / Vulnerability Scan / Bug Bounty / Security Review]
Classification: [Critical / High / Medium / Low / Informational]

---

Executive Summary

Vulnerability Title: [Clear, descriptive title]
CVSS Score: [X.X] ([Critical/High/Medium/Low])
Impact: [Brief description of potential impact]
Affected Systems: [List of affected systems/components]
Discovery Date: [YYYY-MM-DD]
Status: [Open / In Progress / Resolved / False Positive]

---

Vulnerability Details

Description

[Detailed description of the vulnerability, including what was found and how it was discovered]

Technical Details

• Vulnerability Type: [SQL Injection / XSS / Authentication Bypass / etc.]
• Affected Component: [Specific system, application, or service]
• Attack Vector: [How the vulnerability can be exploited]
• Authentication Required: [Yes/No - if authentication is needed to exploit]
• User Interaction Required: [Yes/No - if user interaction is needed]

Proof of Concept

[Include code snippets, screenshots, or step-by-step reproduction steps]
[Use code blocks for commands, URLs, or payloads]

Screenshots/Evidence

[Include relevant screenshots, logs, or other evidence]

• Screenshot 1: [Description]
• Screenshot 2: [Description]
• Log Entry: [Relevant log entries]

---

Impact Assessment

Business Impact

• Confidentiality: [Impact on data confidentiality - High/Medium/Low]
• Integrity: [Impact on data integrity - High/Medium/Low]
• Availability: [Impact on system availability - High/Medium/Low]

Potential Consequences

• [Consequence 1]
• [Consequence 2]
• [Consequence 3]

Affected Data/Systems

---

Risk Assessment

Likelihood

• Exploitability: [Easy/Moderate/Difficult]
• Detection: [Easy/Moderate/Difficult]
• Overall Likelihood: [High/Medium/Low]

Impact Severity

• Financial Impact: [Estimated financial impact]
• Reputation Impact: [Potential reputation damage]
• Compliance Impact: [Regulatory or compliance implications]

Risk Rating

Overall Risk: [Critical/High/Medium/Low]
Justification: [Brief explanation of risk rating]

---

Remediation

Immediate Actions

• [Action 1] - [Priority: High/Medium/Low]
• [Action 2] - [Priority: High/Medium/Low]
• [Action 3] - [Priority: High/Medium/Low]

Recommended Fixes

1. [Fix 1]
   • Description: [What needs to be done]
   • Implementation: [How to implement the fix]
   • Timeline: [When this should be completed]
2. [Fix 2]
   • Description: [What needs to be done]
   • Implementation: [How to implement the fix]
   • Timeline: [When this should be completed]

Long-term Recommendations

• [Recommendation 1]
• [Recommendation 2]
• [Recommendation 3]

---

Testing & Validation

Verification Steps

1. [Step 1 to verify the vulnerability]
2. [Step 2 to verify the vulnerability]
3. [Step 3 to verify the vulnerability]

False Positive Analysis

[If applicable, explain why this is not a false positive]

Additional Testing

[Any additional tests that should be performed]

---

References

Related Vulnerabilities

• [CVE-XXXX-XXXX] - [Description]
• [CWE-XXX] - [Description]
• [OWASP Top 10] - [Relevant category]

External Resources

• [Link 1] - [Description]
• [Link 2] - [Description]
• [Link 3] - [Description]

Internal References

• [Internal document 1]
• [Internal document 2]
• [Previous assessment report]

---

Timeline

Date	Action	Responsible Party	Status
[YYYY-MM-DD]	Vulnerability discovered	[Name]	Complete
[YYYY-MM-DD]	Report submitted	[Name]	Complete
[YYYY-MM-DD]	Acknowledgment received	[Name]	Pending
[YYYY-MM-DD]	Fix implemented	[Name]	Pending
[YYYY-MM-DD]	Verification testing	[Name]	Pending
[YYYY-MM-DD]	Report closed	[Name]	Pending

---

Communication

Stakeholders Notified

• [Name] - [Role] - [Date]
• [Name] - [Role] - [Date]
• [Name] - [Role] - [Date]

External Disclosure

• Planned Disclosure Date: [YYYY-MM-DD]
• Disclosure Method: [Public / Coordinated / Private]
• Responsible Disclosure: [Yes/No]

---

Appendices

A. Technical Details

[Additional technical information, code samples, or detailed analysis]

B. Screenshots

[Full-size screenshots and evidence]

C. Log Files

[Relevant log entries and system outputs]

D. Network Diagrams

[Network topology or system architecture diagrams]

---

Report Metadata

Report Version: [1.0]
Last Updated: [YYYY-MM-DD]
Next Review Date: [YYYY-MM-DD]
Report Classification: [Internal / Confidential / Public]
Distribution List: [List of authorized recipients]

---

Report Prepared By: [Your Name]
Title: [Your Title]
Organization: [Your Organization]
Contact: [Your Contact Information]
Date: [YYYY-MM-DD]