Reporting & Professional Practice · beginner · ~10 min

Evidence, reproduction, and remediation

Provide reproducible evidence and actionable remediation, and explain retesting.

Overview

Complete a finding with reproducible, redacted evidence (exact steps + proof, captured during testing) and actionable, prioritized remediation with references. A retest after fixes verifies they work and records each finding as remediated/partial/open — closing the loop.

Why it matters

Reproducible evidence makes findings credible and fixable; specific remediation and a retest are what actually reduce the client's risk. Clean, redacted evidence also reflects responsible handling of the sensitive data you touched.

Core concepts

Reproduction. Exact, numbered, copy-pasteable steps. Evidence. Proof of impact, cropped and redacted; captured live. Remediation. Specific, root-cause, prioritized, with references. Retest. Verify fixes; mark remediated/partial/open.

Lesson

A finding the client can't reproduce or fix is half a finding. Two halves complete it: proof and the fix.

Evidence & reproduction

  • Reproduction steps: numbered, exact, copy-pasteable (the request, the parameter, the value). Someone else should reproduce it without you.
  • Evidence: the request/response, a screenshot, or output that proves impact — but clean: crop to what's relevant, and redact real secrets, PII, and customer data you incidentally accessed (you're handling sensitive data — see professional practice). Show enough to prove it, no more.
  • Capture as you go: collect evidence during testing with timestamps; you can't reconstruct it later.

Remediation

  • Actionable and specific: "use parameterized queries for this query" — not "fix SQL injection". Tie it to the root cause.
  • Prioritized: order the remediation roadmap by severity so the client fixes the worst first.
  • References: link OWASP/CWE/vendor docs so engineers can go deeper.

Retest

After the client fixes issues, a retest verifies the fix actually works (and didn't introduce a regression or an incomplete patch). The report's final state records each finding as remediated / partially remediated / open. Retesting is what closes the loop and is often contractually required.

Summary

Findings are completed by reproducible, redacted evidence and specific, prioritized remediation with references — then validated by a retest that records each as remediated, partial, or open. This is what turns a finding into reduced risk.