Evidence

Evidence is visual proof attached to a finding — typically screenshots demonstrating that a vulnerability exists and can be exploited. Evidence appears in your exported reports alongside the finding it belongs to.

Adding Evidence to a Finding

1. Open a finding (either in a report or in the library)
2. Scroll to the Evidence section
3. Upload an image file or paste a screenshot directly from your clipboard
4. Add a description explaining what the screenshot shows

You can attach multiple pieces of evidence to a single finding.

Evidence Fields

Each piece of evidence has the following properties:

Supported Formats

Vulnsy supports standard image formats:

• PNG — recommended for screenshots
• JPG / JPEG — suitable for photos and lower-fidelity images
• Other standard web image formats

Evidence in Exported Reports

Evidence is embedded directly into the exported DOCX file. In your report template, evidence is rendered using the {%image} tag nested inside the findings loop:

{#findings}
  Finding: {%title}
  Severity: {%severity}

  {#evidence}
    {%image}
    {%description}
  {/evidence}
{/findings}

The {#evidence} block loops over all evidence items attached to each finding. For each item, {%image} embeds the image and {%description} outputs the caption.

Tips for Good Evidence

• Capture the full context — include the URL bar, request/response, or relevant UI elements
• Highlight or annotate the key area of the screenshot so reviewers can quickly identify the issue
• Write clear descriptions: "Reflected XSS payload executing in the search results page" is more useful than "Screenshot 1"
• Keep file sizes reasonable — crop screenshots to show only what is relevant