> What percentage of the vulnerabilities discovered are independently discovered by multiple pen testers?
Zero because we patch them as soon as we are notified. Generally at the end of the test / before the retest, but if they found something serious they would notify immediately,
>>x0x0+(OP)
Patch production, sure, but naturally you would leave them in the pen testing environment for some time in order to collect data. No data and you’re just guessing. That’s fine for amateur hour, but not business.