Report disposition is the formal process of transferring the report to the care or possession of the primary authorized recipient. You are giving the report over to the client, at which point they become responsible for the report and its contents.

The report disposition should include all documentation, multiple copies (possibly printed and electronic), and acknowledgments and sign-off by the recipient. It should be up to the client's authorized recipient to distribute copies. If others request copies from the pen test team, the team should refer them to the authorized recipient.

At this point, after you have given over the report, you should move (not copy, but move) your copy to a backup storage location and remove it from your active work area. This will help protect the data if someone were able to attack your systems and gain access to the data.

Note: "Disposition" can also refer to the general tone of the report or the approach that it takes.