juliocesarfort / public-pentesting-reports Goto Github PK

https://paragonie.com/security - So far we've published 6 of our audit reports. (I'm not sure how well Github handles pull requests that contain PDF files, but I can send one if you prefer.)

Proton VPN no-logs security audit - https://protonvpn.com/blog/wp-content/uploads/2022/04/securitum-protonvpn-nologs-20220330.pdf

Simple Login (Proton) - WEB - https://simplelogin.io/audit2022/web.pdf

Simple Login (Proton) - Android - https://simplelogin.io/audit2022/android.pdf

Livecall.io - WEB - https://sekurak.pl/wp-content/uploads/2020/06/Livecall_web_20200306_public.pdf

ProteGO Safe (Polish gov COVID app) - lang PL - https://www.gov.pl/web/protegosafe/audyt-bezpieczenstwa--zobacz-raport

CANAL + - lang PL - https://sekurak.pl/zobacz-pelen-nieocenzurowany-raport-z-testow-penetracyjnych-canal/

Annoucement : https://twitter.com/volkisau/status/1662594681937461248

report : https://handbook.volkis.com.au/assets/doc/Volkis%20-%20Anonymous%20Client%20-%20Penetration%20Test%20May%202023.pdf

https://oig.nasa.gov/docs/IG-19-022.pdf

Some great content in here!

https://cdn.sekurak.pl/eventory-sample-pentest-report.pdf

@juliocesarfort Would you mind taking a look at the Illumio assessment report below and let me know if you think it qualifies to be added to the Bishop Fox folder?

https://know.bishopfox.com/hubfs/Bishop-Fox-Research-Report-Efficacy-of-micro-segmentation-V01.pdf

Let me know what you think, Thank you.

Virginie

https://www.securityevaluators.com/hospitalhack/securing_hospitals.pdf
https://jhalderm.com/pub/papers/dcvoting-fc12.pdf

Hi Julio,
good job.

It will help to have an index including the project names in the Readme.
Happy to give it a try if you agree

Regards
Jofre

https://evait.medium.com/a-short-white-box-code-audit-of-avo-2083b08f3a95

https://storage.googleapis.com/training-public-files/Report%20penetration%20test%20-%20Avo%20v3.0.0.pre12-2023.pdf

I don't understand why the project uses the report author's organization for subdirectories? Why not subjects?

Libraries/Crypto
MobileApps
Hardware/Net
Hardware/IoT

If I want to find reports by a certain consulting company I can just go to their website. The same cannot be said if I want to find reports about domestic robots. If you actually "curated" the reports and organized them by subject you would add real value.

Hello,

first of all, thank you for doing this, it's very useful for learning!

I noticed that these reports all have different goals; some of them are code auditing reports, some are pentest reports, others are APT reports...

That's why I would suggest organizing the documents into specific folders according to their audit type. I think it would be easier to browse rather than by security companies.

Unsure if this technically counts as public, but stumbled across it on a google for other public pentest reports:

• http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/cf2016/CF2016_Security_Audit_Report.pdf

From a quick look, it seems to just be the executive summary, without any specific finding details.

Nice collection, thanks for putting this up!
Here is a couple of more: https://cure53.de/#publications

Hi i think if you separate the reports in categories like wep app pen test report, network pen test report, etc.. it will be better... Cuz most of the visitors are coming here to see more Full Black Box Penetration Testing report than app audit or blockchain blabla audit... They want full sample/examples of a real complete pentesting engagement.. maybe im wrong..

Thank you.

https://www.us-cert.gov/sites/default/files/resources/ncats/CyHy-Sample-Report.pdf
https://www.us-cert.gov/sites/default/files/resources/ncats/Phishing-Campaign-Assessment-Sample-Report.pdf
https://www.us-cert.gov/sites/default/files/resources/ncats/RVA-Sample-Report.pdf

Should new submitted PRs include a metadata txt file along with the PDF report? The number of reports has grown as others have realized its value. However, it's impossible to quickly identify mobile-related reports for example.

Metadata.txt:
Name: name.pdf
Security Company: Foo
In-Scope Company: Bar
Pentest Date: DD/MM/YYYY
In-Scope: Service A, Service B, ...
Language: Scala
Metadata: Mobile, Android, ...

This is bound to come up again but there's already some instances of this with the Kudelski Security - X41 reports.

Some suggestions on how to tackle this would be: A defined naming convention for this (which company first? Alphabetical or as it appears on the report?), or possibly a folder that is titled Joint Reports that then has folders inside.