Determining the quality of the assessment you receive can be tricky.  Was the report short because the application is secure or because the tester cut corners?  Are there no high findings because they don't exist or because they were missed?  One method of judging the quality of the test is to take a good look at the level of detail in the findings that were written.  Do they describe your environment specifically or do they look like they were copied from somewhere?  A good finding should contain details that not only show that the the tester spent time examining your application, but also provide your developers with instructions on how to find, and how to start fixing the vulnerability.

The findings below are examples of how Meristem approaches writing a finding.  These come from an open source application (findings from a previous contract would be a breach of confidentiality), but are representative of findings we commonly report.  Each finding begins with a description of the way the application works, discusses the mechanics of the vulnerability, outlines potential abuse cases, and provides recommendations on how the vulnerability can be addressed in this specific application.

There are certainly findings that are common and where a standard write-up provides all the detail necessary, but if the top severity findings do not contain details that reflect the details of your environment specifically, then you have reason to question the thoroughness of the assessment.

Sample High Finding (pdf)

Sample Medium Finding (pdf)