Why We Publish Our Pentest Results

The standard practice in enterprise software is to keep penetration test results confidential — share them with existing customers under NDA, never publish them publicly. The reasoning is that publishing findings gives attackers a roadmap.

We disagree with that reasoning, for two reasons.

Reason 1: Our Customers Are Evaluating Us on Security

G8KEPR is a security product. Our customers are CISOs, security engineers, and enterprise security teams. When they evaluate us, the first thing they want to see is our security posture — not our marketing page. If we make them request an NDA to see our pentest report, we are creating friction for exactly the audience we are trying to build trust with.

Publishing the summary publicly — findings, severities, resolutions — sends a signal that we are confident in our security posture and have nothing to hide. Every finding was resolved. We did the work. We are willing to show it.

Reason 2: Resolved Findings Are Not Attack Roadmaps

Publishing a pentest report that says "we had a ReDoS vulnerability in pattern_loader.py, fixed by capping input at 512 characters and using re2-safe evaluation" tells an attacker nothing useful. The vulnerability is gone. The fix is deployed. The finding is historical documentation, not a current attack surface.

The only way a resolved-finding summary gives attackers useful information is if you did not actually fix the finding, or if the summary implies the existence of a related vulnerability you did not address. In that case, the problem is the quality of the fix, not the publication of the summary.

What We Publish vs What We Keep Confidential

We publish: finding IDs, severities, titles, and resolution summaries. We keep confidential: the full technical narrative, proof-of-concept code, and specific payload details. The full report is available to enterprise prospects under NDA. The summary is public.