Reports Basics

Here are all possible states of reports

Open report:

  • New - once a report has been submitted it receives a New state. At this stage it’s possible to delete a report, if you have changed your opinion.

  • In Review - The triage team starts the validation process of the submission.

  • Need More Info - if the triage team needs additional details for validation they ask for it. If we don’t hear back from you for more than 30 days, such report will be automatically closed.

  • Triaged - once we approve the report, it goes forward to the client’s security team to fix the vulnerability.

  • Paid - the company paid for the valid report to the researcher

Closed report:

  • Resolved - the report was valid and was fixed.

  • Duplicate - the reported vulnerability has been reported before.

  • Informative - the report was useful for the company but there is no need in immediate action or a fix.

  • Out of scope - the report was useful for the company but the issue is not in the focus of the program.

  • Not Applicable - the report was not valid or it’s not connected with the security of the application.

  • Spam - the report was not a valid security issue or didn’t have any useful information for the company.

  • Disclosed - the report is disclosed to the public.

Variations of states for Disclosed reports

The triage team can adjust the visibility of the report, it can be one of these:

  • Visible

  • Partially

  • Hidden

In a state of partial visibility, the team can choose what types of information to disclose:

  • Report title

  • Author name

  • Rewards

  • Comments

  • Severity

  • State

  • Participants

  • Creation date

  • Timeline

  • Target

  • Vulnerability details

  • Validation steps

  • Impact

  • Recommended fix

  • Additional information

  • Attachments

Last updated