PT0-002 Question #233: Real Exam Question with Answer & Explanation

Question

Which of the following are the MOST important items for prioritizing fixes that should be included in the final report for a penetration test? (Choose two.)

Options

• AThe CVSS score of the finding
• BThe network location of the vulnerable device
• CThe vulnerability identifier
• DThe client acceptance form
• EThe name of the person who found the flaw
• FThe tool used to find the issue

Explanation

Prioritizing fixes in a penetration test report relies heavily on understanding the network exposure of the vulnerable device and the specific nature or identifier of the vulnerability.

Common mistakes.

• A. While the CVSS score provides a standardized severity metric, it is often a numerical representation derived from factors like impact and exploitability, which are better understood by the specific vulnerability identifier itself, and does not account for environmental factors like network location.
• D. The client acceptance form is an administrative document confirming the scope and terms of the engagement, not a factor for technical prioritization of fixes.
• E. The identity of the person who found the flaw is irrelevant to the technical severity or prioritization of the vulnerability.
• F. The tool used to find the issue provides context but does not directly influence the priority of remediation for a discovered vulnerability.

Concept tested. Penetration test report prioritization criteria

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

No community discussion yet for this question.