Re: Every company after a data leak
Of course never on purpose... However, you will probably know that pentesting engagements are extremely limited in time and scope. Therefore, if we find say xss in a few locations we report those with examples, but won't go around the site finding every single instance. The client with access to their own code base is better positioned to do that.
Time is better spent finding other vulnerabilities imo. Better a report that finds 10 different things than 1 thing but highlights every instance. Often these vulnerabilities are found manually rather than by automated scanners.
Pentesting engagements are on average 4 days including report, so not everything can be uncovered in that time, especially on a system resembling Swiss Cheese. We don't know how much we'll find until the testing window starts you see.