Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

FAQ

Deliverables


Q: What kind of deliverables can I expect from Cobalt Penetration tests?

A: You will receive both individual finding reports with detailed descriptions of each vulnerability as well as a full summary report that describes the test and findings at an executive level - perfect for sharing with stakeholders.

Q: Can I use Cobalt Penetration test reports to satisfy PCI DSS?

A: Yes, the Cobalt Penetration Test reporting was built based on the PCI requirements for external penetration testing and we can support you in making sure that both the test coverage and reporting lives up to your auditor’s expectations. This can satisfy PCI DSS section 11.3.1, including confirmation of fixes related to section 11.3.3.

Q: Can I use Cobalt Pen Test reports for my Sales process?

A: Yes, many of our SaaS customers use Cobalt to show their own customers that they take security seriously. Our reporting comes in different levels of detail - from an attestation-style report to a full report with all findings details. Thus you can decide how exactly much you want to share with your customers.

Q: I need a pen test report ASAP, can you help me?

A: Yes, being agile and on-demand is a key part of Cobalt’s pen test offering. Schedule a demo today and we can get your testing started right away.

Q: Can I get a sample report from a Cobalt Pen test?

A: Yes, schedule a demo and we will provide you with one.

Q: How do you ensure Report Quality?

A: During each engagement, the Pen Test Lead is responsible for ensuring that each individual finding and the overall report meets Cobalt’s high level of expectations. These Leads are very experienced individuals - in 2016, the average number of years of professional experience for Cobalt’s Pen Test Leads was 11 years. Additionally, each team member is rated on their report submissions. This provides transparency and accountability for the Cobalt Core to deliver consistently strong results.

Q: If I don’t fully understand a vulnerability report submitted by a security researcher. Can I communicate with the security researcher?

A: Yes, communication is key! You can write comments directly to the researchers asking them to clarify a specific report. You can also write internal comments to your team members to enhance collaboration. We also know that pen test findings don’t always get fixed right away, so we allow direct communication with the researchers for months following the completed pen test engagement.

Q: Who can see the findings of my pen tests?

A: Only invited team members and the researchers can see the list of reported vulnerabilities. Cobalt Customer Success and SecOps members will be able to view vulnerabilities in order to support the pen test. All of this access is visible and controllable within each pen test program’s settings.

Q: Can a security researcher publicly disclose vulnerabilities found in my site?

A: Only with your permission. If a researcher wants to publicly disclose a vulnerability (anonymized or de-anonymized) to benefit the community, they will request your permission and act in accordance with your response.