Don’t rely blindly on tools: even if they found something, it doesn’t mean that a particular problem is critical. Analyze each of their recommendations.

Soberly assess each security problem, not all of them are critical. The ability to apply incorrect styling to the site is not as important as the risk of compromising the data stored on the server.

Remember about confidentiality:

do not publish the errors found in the public domain, do not share with other analysts. Discuss with the site owner through which channels to transmit data to him: a dedicated system in software, e-mail.

There is no need to report errors to a third—party software company, unless the site owner purposefully neglects them – with the next update, the vulnerabilities will disappear. You need to look for problems in the company’s software, not in a third-party product.

Prepare test reports in text form. For example, in the case of cross-site scripting, it is enough to send a link to the URL with the correct query string. Use video in difficult cases when you need to monitor network requests or see the interaction between different accounts.