What person should I write a penetration test report as?
Some other options:
Passive voice: A vulnerability in HP Power Manager was discovered...
Present tense: HP Power Manager is vulnerable to...
It is most common (in the UK at least) to use the passive voice. I prefer using present tense when possible, and first person plural otherwise; the writing feels more personal. But this is controversial; a lot of people think reports are supposed to be formal and not at all personal.
Typically you'll see them written in first person plural, and less often in third person singular, general. You might do first person singular if you are conducting the work as an individual and not as part of a company.
Here's the format I've used. Active voice for things you did, passive voice for the state the system exists in.
At the beginning of the report: $tester (henceforth referred to as "we"/"I") tested $Application ...
For a narrative style: We/I tested the foobar, and found it was vulnerable to baz.
For a findings style: The Foo system is vulnerable to bar. We/I verified it using Baz.