Skip to main content

When a Pentest Challenges Your Vendor's Ethical Warranty: What to Document

You just ran a pentest against a SaaS platform your company relies on. The findings are damning: hardcoded API keys in client-side code, plaintext passwords in logs, an admin endpoint that responds to any role with 'admin' in the JWT. The vendor's ethical warranty — signed off in the procurement process — pledges 'secure development lifecycle, annual third-party audits, and immediate disclosure of critical flaws.' Now you're staring at evidence that either your pentest is wrong, or their warranty is worthless. Which is it? Before you call anyone, stop. The first thing you need isn't a fix — it's documentation. Hard, timestamped, artifact-linked documentation. Because the moment you raise this issue, the vendor will ask for proof. Your legal team will ask for a chain of custody. Your CISO will ask for a risk rating. And if the dispute escalates, a judge might ask for everything.

You just ran a pentest against a SaaS platform your company relies on. The findings are damning: hardcoded API keys in client-side code, plaintext passwords in logs, an admin endpoint that responds to any role with 'admin' in the JWT. The vendor's ethical warranty — signed off in the procurement process — pledges 'secure development lifecycle, annual third-party audits, and immediate disclosure of critical flaws.' Now you're staring at evidence that either your pentest is wrong, or their warranty is worthless. Which is it?

Before you call anyone, stop. The first thing you need isn't a fix — it's documentation. Hard, timestamped, artifact-linked documentation. Because the moment you raise this issue, the vendor will ask for proof. Your legal team will ask for a chain of custody. Your CISO will ask for a risk rating. And if the dispute escalates, a judge might ask for everything. This article maps exactly what to document, in what order, and why each piece matters — so you can challenge a vendor's ethical warranty without shooting yourself in the foot.

Who Needs This and What Goes Wrong Without It

Typical roles: security manager, procurement officer, pentest lead

You're the person who signs off on vendor risk—or the one who finds the seam before it blows. I have sat in rooms where a security manager, a procurement officer, and a pentest lead stared at the same log, each seeing a different kind of problem. The manager sees a compliance checkbox turning red. The procurement officer sees a contract clause that just got expensive. The pentest lead sees a finding that could go either way. Without shared documentation, none of them sleep well.

The worst part? Each role carries a different blind spot. The pentest lead may skip recording the vendor's exact firmware version. The procurement officer might assume the test was 'standard'—it was not. The security manager trusts that the report will speak for itself. It won't. That mismatch is where leverage evaporates.

Scenario: vendor claims compliance but pentest finds violations

Imagine this: Your team runs a penetration test against a SaaS platform your company relies on for customer data. The result—three critical SQL injection points, all in modules the vendor's audit report marked as 'verified secure.' The vendor pushes back: "Our last SOC 2 showed no findings. Your methodology is wrong." Suddenly, the conversation is about your testing process, not their vulnerability.

That hurts. And it happens because you documented nothing about the test environment, the scope boundaries, or the timing of your scans. The vendor controls the narrative. Your pentest findings become noise instead of evidence. The catch: a single timestamped screenshot of the vendor's live environment, paired with the exact HTTP request payload, flips that script. Without it, you argue—you don't prove.

I have watched three million dollars in contract renegotiation evaporate because nobody recorded which patch level the vendor was running during the test.

— former procurement officer for a regional healthcare network

Consequences of poor documentation: legal exposure, lost leverage, compliance gaps

Legal exposure is the quiet killer. If a vendor later suffers a breach and your pentest flagged an issue you never formally documented, your organization absorbs liability for failing to act. The compliance gap is worse—regulators want proof you tested against the vendor's claimed controls. 'We knew' is not a compliance artifact. 'We recorded' is.

Lost leverage shows up in the room where contracts get renegotiated. A poorly documented finding is a weak bargaining chip. A crisp chain of evidence—screenshots, packet captures, signed receipts of findings—gives procurement a reason to demand a refund or a fix timeline. Without it, the vendor's legal team thanks you for the ambiguity. Wrong order of operations means you lose the argument before it starts.

I once watched a pentest lead rush through a cloud storage assessment, skipping the step where you log the API endpoint version number. The vendor later claimed the vulnerability had been 'patched in a later release.' Was that true? No way to know. The reporting window slammed shut. That's what you get when evidence is thin—deniability dressed as a process improvement.

Prerequisites: Get Your Paperwork Straight Before You Dig In

Original contract and warranty language

You need the exact wording of the vendor’s warranty—no paraphrasing, no PDF snippets that someone “thinks” covers pentest findings. I have watched teams lose three weeks arguing over whether “unauthorized access” includes a local privilege escalation that required physical console access. The original contract is your floor, not your ceiling. Dig out the signed version, the email threads where they clarified “incidental damage,” and any service-level agreements that mention vulnerability disclosure. The catch is—most warranty language was written by lawyers who never imagined a pentester inside the network. Look for escape clauses around “reasonable security measures” or “industry-standard hardening.” Those phrases will become the battleground.

Pentest scope agreement and rules of engagement

Your scope document is what separates a valid test from a liability event. Grab the final signed RoE, plus any change requests that extended the testing window or added an IP range mid-engagement. What usually breaks first is the boundary between “authorized testing” and “you touched our production payment API.” Without the scope pinned down, the vendor can argue your findings fall outside the warranty’s coverage. Print the network diagram referenced in the scope—mark the systems you actually hit. One concrete example: a tester pivoted through a jump box that fell inside scope but landed on a domain controller the vendor claimed was “infrastructure only.” Scope killed that argument instantly.

Flag this for penetration: shortcuts cost a day.

Flag this for penetration: shortcuts cost a day.

Communication channels and incident response plan

Wrong order here burns more time than any technical bug. Before you start breaking things, confirm who gets each severity level of finding and how fast they must respond. The IR plan should list primary contacts, backup contacts, and an escalation path that doesn’t route through a generic support ticket. That sounds fine until you send a critical-severity report to a low-level engineer who can’t authorize a fix. Document the chain now—name, role, phone number, expected response window. Most teams skip this: also record what the vendor promised as response time versus what the contract legally requires. Those two numbers often differ by hours or days.

I once sat through a four-hour call where both sides had the same email thread but different signature blocks—one for “notifications,” one for “emergency contacts.”

— Senior pentester recounting a blown timeline

The IR plan also dictates who holds the evidence chain-of-custody. If the vendor insists on screenshots being uploaded to their own portal, you have a documentation problem—they control the record. Push for a neutral timestamp service or your own encrypted archive. A rhetorical question worth asking: who verifies the integrity of that portal’s logs?

Core Workflow: Step by Step Through the Documentation Process

Step 1: Capture every finding with reproducible steps

Open a terminal and a text editor—start before you touch a single target system. I have seen teams burn hours reconstructing an exploit path because they waited until the end. For each finding, record the exact command, tool version, flag, and the raw output. Not just "we found an exposed API." Write which endpoint, what header leaked the key, and the timestamp your scanner hit it. The catch is that vendor legal teams will ask for proof of non-destructive intent. If your notes show you ran sqlmap --risk=3 against a production database, that screenshot becomes evidence against your warranty claim. Keep a second log of every system you touched, every payload you sent, and—critically—the vendor’s written go-ahead for each attack vector. Most teams skip this. That hurts when the vendor replies "our warranty excludes active exploitation." Wrong order? You lose a day crawling server logs to reconstruct timing.

Step 2: Link each finding to the specific warranty clause it violates

You found an SQL injection. Great—now which section of your vendor's warranty does it break? Paragraph 4.2? The "Remediation Commitment" clause? Map every finding to a line number in the contract during the test, not after. The tricky bit is that vendors often phrase warranties in vague language: "best effort" or "industry-standard security." You need concrete evidence that their claim failed. For example: if Section 3.1 promises "no default credentials in production," and you find admin:admin123 on a Jenkins dashboard, that's a direct violation. Document the clause, the finding, and the time delta between your discovery and vendor notification. I fixed this once by creating a quick table in the notes app: Clause | Finding | Timestamp | Port. That simple grid saved the engagement when the vendor tried to argue the issue existed before their warranty period started. The odder part—the clause you think is weakest often becomes your strongest paper trail.

A rhetorical question: if your vendor's warranty claims "continuous patching," but you found a four-year-old Struts2 flaw running on port 8080, who shows the timeline? You do. Stop treating findings as technical bugs—they're contractual evidence now.

Step 3: Maintain a timeline of discoveries and vendor communications

Start a shared document with a single column: UTC timestamps. Every time you escalate a finding to the vendor, log the email thread ID, the response window, and whether they acknowledged. What usually breaks first is a blown deadline—the vendor promises a 24-hour fix, you wait 72 hours, and the warranty claim collapses because you can't prove you gave them a chance to remediate. Pro tip: use a local Git repo for this timeline. Each commit is a snapshot of the evidence package before and after vendor contact. Not yet? Do it tomorrow. The timeline also catches backfire moments—if you find a critical flaw and sit on it for two weeks while the vendor's warranty expired, that negligence undermines your entire report. Mix short lines: "Emailed at 14:02. No reply. Emailed again at 16:30. Got canned response at 17:04." That granularity turns a he-said-she-said dispute into a timestamped trail. Save the raw emails as .eml files, because vendor portals sometimes "archive" (read: delete) your escalation history after 30 days.

“Document as if your vendor will hire a lawyer who reads logs like a detective reads a crime scene.”

— field engineer, two warranty disputes settled

Tools and Setup: What You'll Actually Need to Record Evidence

Screen Recording and Packet Capture Tools

The toolchain you choose dictates whether your evidence holds up or gets laughed out of a review board. I have seen perfectly good pentest findings collapse because the screen recording was 480p and the timestamp overlay showed the wrong timezone. Use OBS Studio in lossless mode for screen capture — set it to record at 30 fps minimum, with a visible system clock widget that matches the NTP-synced time on your attack machine. For packet capture, tcpdump with a rotating ring buffer (say, 10 files of 200 MB each) avoids filling your disk mid-test. The odd part is—many vendors will accept Wireshark .pcap files as gospel, even when the capture lacks interface flags or filter strings. Don't let that be you. Pair each capture with a hash digest (SHA-256) written into a plaintext log file the moment you stop recording. Not pretty. Works.

“A tool without a timestamp is just a story — and stories don't hold up in a warranty dispute.”

— paraphrased from a legal ops lead at a Big Four consultancy, during a post-mortem debrief

Version-Controlled Report Templates

Word documents with filenames like final_v2_actuallyfinal.docx are a liability. Use a git repository for your report skeleton — plain Markdown or AsciiDoc, rendered to PDF. That gives you commit history, diff visibility, and a clean chain of who wrote what and when. The catch is that non-technical stakeholders (including vendor legal teams) will demand .docx or .pdf. Fine. Automate the conversion with pandoc and a reference template that bakes in your case number, classification level, and page footer timestamps. Most teams skip this: they write findings by hand in Google Docs, then export to PDF. That breaks. Google Docs version history is not court-admissible in several jurisdictions, and the export time overwrites the original creation timestamp. So you lose the audit trail. Fix that by keeping the canonical version in git, and only generating distributable files as artifacts.

What usually breaks first is the evidence table. Build a template row with columns: Timestamp (UTC), Tool Output Hash, Capture File Path, Witness, and Notes. Fill this as you go — not after the test. I once watched a junior pentester reconstruct timestamps from his browser history because he forgot to log screenshot filenames. That hurts. Don't reconstruct; record live.

Not every penetration checklist earns its ink.

Not every penetration checklist earns its ink.

Encrypted Storage and Chain-of-Custody Logs

Evidence sitting on an unencrypted laptop is an invitation for spoliation claims. Use VeraCrypt volumes or LUKS-encrypted partitions. Mount them only during active documentation — unmount when you step away. The chain-of-custody log itself should be a printed and signed register if you deliver to a client, or a signed CSV hash manifest if internal. One rhetorical question: would you trust a forensic image that was copied over USB 2.0 with no write-blocker? Neither will their lawyer. For remote pentests, encrypt the transfer channel (SFTP or SCP, never plain FTP) and log the transfer session. That said, over-encrypting can backfire: if you lose the key, you lose the evidence. Store the key in a password manager with MFA, printed recovery codes in a safe, and a dead‑man switch notification to a colleague. Not overkill — it's insurance.

Variations: When Constraints Change How You Document

NDA Restrictions on Sharing Findings

Your client signs a non-disclosure agreement with the vendor—standard stuff. But when the pentest uncovers a critical flaw in that vendor's code, the NDA suddenly feels like a muzzle. I have seen teams freeze here, unsure what they can safely document. The fix is not to fight the NDA; it's to pre-negotiate carve-outs. Before the test, agree in writing that vulnerability details can be shared with the vendor under a joint-defense or limited-disclosure clause. Without that, your evidence log stays locked in a drawer—and the vendor never gets the screenshot that proves their API leaks session tokens.

What usually breaks first is the timestamp. You capture a packet dump at 14:03, but the NDA says you can't name the vendor until the report is redacted. So you anonymize: replace the vendor's hostname with 'Target-A' in every log entry. That works—except when the vendor needs to reproduce the bug and your redacted evidence points to a generic IP pool. The trick is to maintain a dual-chain: one clean evidentiary chain with full identifiers (password-protected, never shared), and one sanitized chain for the vendor's engineering team. Two copies, one truth.

'We logged the exploit at 10:42 UTC, but the NDA barred us from mentioning the product name until the patch was ready. That cost us a week of back-and-forth over vague screenshots.'

— Infrastructure lead, financial-sector breach response

The odd part is—vendors often prefer this arrangement. They want to control the narrative, not kill the evidence. Push for a mutual disclosure window: you get 72 hours to document fully before the NDA restrictions apply to public release. That window is your only safe space to shoot raw packet captures without worrying about legal blowback.

Remote vs. On-Site Pentest Documentation

Documenting a remote pentest feels like fixing a engine through a letterbox. You can't physically tag a switch port or photograph the server rack blinkenlights. Everything must be virtual. The catch is that remote evidence is easier for a vendor to dismiss—they can claim the timing was off, the VPN tunnel introduced latency, or the screenshot was 'staged.' So you overcompensate. Every curl command needs the full HTTP header dump. Every SQL injection attempt needs a timestamped log from both your local proxy and the target's application logs (if accessible). That double-source rule kills ambiguity.

On-site? Different headache. You have physical access, which means you can photograph BIOS passwords taped under keyboards—but you also have to document chain of custody for any device you touch. I once watched a junior tester plug a USB key into a vendor's appliance without photographing the exact port number. The vendor later claimed the evidence could have been planted. That hurts. For on-site work, use a body-worn camera or a dedicated evidence phone that records timestamps and geolocation. A single blurry photo of the serial number beats a pristine packet dump with no physical context. Remote tests get cleaner logs; on-site tests get dirtier—but more defensible—evidence.

Mixed-mode tests (part remote, part on-site) create fusion problems. Your SSH session logs are clean, but then you snap a photo of a misconfigured firewall rule on a terminal screen. The timestamp on the photo doesn't match the SSH log because you forgot to sync your phone clock. Automate clock sync before the test. Use NTP on all machines, and set your camera's timestamp to the same source. A two-minute drift can make a vendor argue you documented the wrong session. Don't give them that opening.

Rhetorical question: would you rather explain a time gap of seven seconds or defend a multi-hour discrepancy? Exactly.

Different Vendor Response Timelines and Escalation Paths

Vendors move at wildly different speeds. One patches a critical RCE in six hours; the other takes six weeks and asks for 'more proof' twice. Your documentation strategy must adapt to the response velocity. For fast vendors, you can afford to send raw, unpolished evidence—they will trust you and reproduce the bug before you finish formatting the report. For slow vendors, you need near-forensic detail from minute one, because every delay makes them question your methodology. I keep a pre-written 'fast-lane' template for quick-turn vendors and a 'slow-lane' template with extra metadata fields—CVSS vector, exact build hash, network diagram coordinates. That cuts rework by hours.

The escalation path changes what you document too. When a vendor stonewalls, your evidence must survive legal scrutiny—not just technical review. That means adding a witness signature to every critical finding, or at least a second tester's verification. I had a vendor claim the evidence was 'inconclusive' three times. The fourth time we sent a notarized affidavit from the tester who found the bug, along with the raw tcpdump file hashed to SHA-256. They patched it the next day. The moral: tailor documentation density to the vendor's trust level. High trust = lean. Low trust = everything short of DNA sampling.

One pitfall people miss: timeline misalignment between your report and the vendor's internal bug tracker. You document 'discovery at 09:15' based on your clock, but their JIRA timestamp says you reported the bug at '09:22'—they claim a seven-minute delay was 'negligent.' Avoid this by embedding your system's NTP-synced timestamp inside each evidence file (exif data for images, HTTP Date headers for web logs, ISO 8601 in all text exports). Sync before the test. Sync during breaks. Sync when the vendor changes the SLA. The seam that usually blows out is the five-minute window between your last sync and the critical finding—close that gap with a manual timestamp in your notebook.

Field note: penetration plans crack at handoff.

Field note: penetration plans crack at handoff.

Pitfalls and Debugging: What to Check When the Evidence Looks Shaky

Timestamp inconsistencies between systems

The first crack in any evidence chain is time. You grab a screenshot from the target server showing an SSH login at 14:03:22. Then you pull your proxy log—that same connection appears at 14:04:01. Vendor replies: "Our audit trail shows nothing at that moment. Your timestamps are wrong." The worst part? They might be right—or wrong in a way you can't prove. I have seen this kill a finding cold, not because the attack never happened, but because the clock on the jump box drifted forty-seven seconds over a two-week test. The fix is boring but necessary: before you run a single command, sync all system clocks to a single NTP source and capture the sync result. That cheap one-liner output—timedatectl or w32tm /query /status—becomes the paper that ties every recorded event together. Most teams skip this. Don't.

What usually breaks first is the gap between the attacker's controller and the target's local log. The intermediate hop—a SOCKS proxy, a VPN tunnel, a Bastion host—introduces latency, and latency without a verified clock baseline looks like tampering. The odd part is: you don't need sub-millisecond precision. You need a documented delta. Capture the offset before and after the test window. If the gap changes mid-run, flag it immediately. That drift alone can explain a 58-second mismatch—or expose a log that was genuinely altered.

Trust the clock you verify, not the clock you assume. A two-second skew costs you a three-week retest cycle.

— Field note from a contractor who lost a critical finding to NTP drift

Missing logs or altered artifacts

The hardest evidence to defend is the evidence that vanished. You execute an exploit, the payload drops a shell, you grab the process list—and later the vendor says "We checked our SIEM. No record of that process ever running." Either the log was never generated, the retention policy rolled it off, or someone deleted it. All three happen. The pitfall here is double: you can't prove the log existed, and you can't prove it was destroyed deliberately. The workaround is legal-grade recording of your own terminal session—script, asciinema, a full PCAP. That local capture is your independent source of truth. I have had vendors push back claiming screen recordings are "not forensic evidence." Push right back. A timestamped terminal cast showing the exploit chain, with your NTP baseline appended, beats a missing SIEM record every time.

But here is the trade-off: your own capture can become evidence against you if it's incomplete or mislabeled. One team I worked with recorded every session but never checked the output files. Two weeks later the vendor asked for the SSH brute-force log and the file was empty—corrupt capture, no retry window. That hurts. Validate your recording tools daily. A ten-second check beats a hundred-word apology in an escalation call. If the vendor claims an artifact was altered, ask for the hash chain. If they can't produce one, the burden shifts back to their custody process. That's a talking point, not a technical fix, but in a dispute it carries weight.

Vendor disputing the validity of findings

The most exhausting variation: they don't challenge the evidence—they challenge the test methodology. "You used an outdated CVE. Our patch was deployed three hours before your scan." Or "Your tool flagged a false positive because the service banner is spoofed." Sometimes they're correct, and you eat that finding. But often the vendor is exploiting ambiguity in your documentation to deflect. The fix is procedural: each finding must include the exact command, the raw output, the target environment state (patched? rebooted?), and a short justification for why that output equals a vulnerability. Skip the justification and you leave the door open. A finding that reads "Burp Suite showed a 200 response on /admin" is weak. A finding that reads "Burp Suite showed a 200 on /admin; the baseline scan on the pre-test snapshot showed a 403; the vendor confirmed no rule change occurred during the test window" is locked down. That extra sentence kills the dispute before it starts.

One rhetorical question worth asking yourself before you submit: If I were the vendor, where would I punch a hole in this? If you find the hole first, patch it in the documentation. If you can't patch it, reconsider whether the finding is solid. That self-audit stops you from defending shaky ground. When constraints forced you to skip a re-test or use a proxy that truncated some responses, flag it openly. Honest limitations are defensible; hidden gaps are not. End every evidence package with a brief "what I would improve" note—it disarms the accusation that you buried the flaws.

FAQ and Checklist: Quick Reference for the Documentation Process

What if the vendor asks you to delete findings?

The polite request lands in your inbox — “Could you remove that screenshot? It shows internal architecture.” Now what? I have seen pentesters cave because they feared burning a relationship. Don’t. The ethical warranty you signed cuts both ways. If the vendor claims a finding is “not a real vulnerability,” ask them to put that rejection in writing on official letterhead. Then preserve your original evidence in a sealed archive, timestamped and hashed. The catch: if the finding involves customer PII or active exploit code, your legal team may force deletion. That hurts — but you still log the hash, the request, and the reason. One firm I worked with got burned this way; they deleted a video, the vendor later denied the bug existed, and the client blamed the pentest firm. Keep the paper trail, even if the artifact goes dark.

How long should you keep documentation?

The short answer: three years after contract closure. That covers most breach-litigation windows and cyber-insurance audits. The messy answer — it depends on your jurisdiction. GDPR mandates data minimization; you can’t hoard raw personal data forever. Strip out names, emails, and IPs from your working notes after the final report is signed. Keep only the technical core: command outputs, packet captures, screenshots with sanitized metadata. I keep a cold-storage drive for older jobs — encrypted, offline, labeled by engagement ID. The worst scenario? A client calls you two years later asking for proof of a disputed finding, and you say “we wiped it last quarter.” That loss erases the ethical warranty you sold them. Set a calendar reminder to purge on a fixed date, not an impulse.

“Documentation isn’t just for the client — it’s your shield when a vendor rewrites history.”

— Senior pentest manager, during a third-party arbitration hearing

Checklist: 10 items to verify before closing a dispute

Use this shortlist before you mark any finding as “resolved” or “vendor-declined.” Wrong order here means you reopen arguments later without fresh evidence.

  • Original artifact (screenshot, PCAP, log) with visible timestamp and source IP
  • Hash of the artifact (SHA-256), recorded in your notes before modifications
  • Written vendor response — email, ticket, or letter — stating their position
  • Your own technical rebuttal, if the vendor claims “not reproducible”
  • Chain-of-custody log: who touched the evidence, when, and why
  • Internal peer review signature (someone who wasn’t in the trenches)
  • Client acknowledgment that they received both your finding and the vendor’s reply
  • Redacted copy for public disclosure (if the client requires CVE or advisory)
  • Backup location — at least two distinct storage media, one off-site
  • Retention date written on the archive envelope or digital label

That list feels long until a vendor denies everything and your only reply is a smirk. The final check — run the hash against the artifact one more time. Corrupted drives kill good cases faster than weak arguments.

Share this article:

Comments (0)

No comments yet. Be the first to comment!