One reason we leave these in is what was alluded to earlier; if you or another vendor were to perform the same scanning function and see the vulnerability, we’d want you to know we didn’t miss it during our testing efforts. We also like to display the manual verification to show that we did indeed test to make sure the vulnerability was or was not present. At times we are asked to remove these from our deliverables, and we typically decline. This is decided on by looking at both the overall impact on the reporting effort and the potential risk of the discovered vulnerability. In very rare cases where there is sufficient documentation and collaboration with our client we will redact the vulnerability from the deliverable. Over 95% of the time we leave it in and encourage our clients to use this to their advantage with their superiors by showing the due diligence in disproving the vulnerability and/or the fact that the problem is already remediated in most cases.
False Positives / What Are They Doing Here?