As mentioned in the scoring systems and scene setting, reporting requirements are strongly recommended for these challenges. Reporting is necessary for most tests, and it's good practice to keep testers in the habit of noting and reporting all that they do. If not to present to the client, then to present to the police when they eventually come knocking. Now I realize that a lot of organizations don't have standard reporting practices (or if they do, they don't stick to them), so I thought I'd provide a basic example that can be matched against.
The following report template is a generic setup that is split into three sections: summary, risk, and mitigation. Read the example through, and check the descriptions of each in the following sections.
Five servers operate one or more of the following dated software packages, which have known vulnerabilities:
OpenSSH (version 3.0.2p1)
Apache (version 6.020)
Multiple servers were found to be operating Windows while...