HackenProof Docs
  • Welcome
    • HackenProof
      • Services we provide
      • Our resources
    • Integrations
      • Slack
      • Discord
      • Telegram
      • Zapier (Webhook)
        • Zapier -> Lark
        • Zapier -> Linear
        • Zapier -> Jira Service Management
        • Zapier -> PagerDuty
        • Zapier -> Google Chat
        • Zapier -> ClickUp
      • Jira Software
      • GitHub Issue
      • GitLab Issue
      • VDP iFrame
    • FAQ
      • Audit & Bug Bounty (BB)
      • Crowdsourced Audit & BB
      • Penetration testing & BB
    • Emergency
      • Reset 2FA
    • Code of Conduct
    • Referral Program
  • Bug Bounty
    • Bug Bounty process
    • How to start Bug Bounty
    • How to create a VDP
    • Vulnerability classification
      • Web & Mobile
        • Out-of-Scope Bugs
      • Smart contracts
      • Blockchain protocols
    • Reports Basics
      • Points Guide
      • Crafting a well-readable report
  • Dashboard
    • Company dashboard
      • Manage programs
      • Manage reports
      • Share report
      • Labels
      • E2E report encryption
      • Reports decrypting with Mailvelope
      • Users and roles
      • Program/Report Assignee
      • Replenish your balance
      • Integrations
    • Hacker dashboard
      • 👉How to start
      • Submit a report
      • Reports Basics
      • Vulnerability classification
      • 👮‍♂️KYC
      • Сreate a crypto wallet
      • 💸Withdraw bounty
      • Hacker Leaderboard
      • Reset 2FA
      • 🍕HackenProof community
      • Report ID
      • Private Program
      • Contact support
    • Company-Auditor dashboard
      • How to start
      • Add members
      • Submit report
      • Contact support
  • Crowdsourced audit
    • Audit process
    • How to start Audit
    • Supported tech
    • Vulnerability classification
    • Reports Basics
    • Qualified Auditors
    • Judging / Triaging
      • Targets
      • Team
    • [CA] Bounty Distribution Rules
    • Fee & Payments
  • DualDefense Audit
    • What is DualDefence Audit
    • General Guidelines
    • How DualDefence Audit goes
    • Contest Phases
    • Vulnerability classification
      • [DD] Smart Contracts
    • [DD] Bounty Distribution Rules
  • good to know
    • Changelog
    • Branding
    • Vulnerability Disclosure
  • Education
    • Courses
    • Tools
    • Useful sources
Powered by GitBook
On this page
  • Open report:
  • Closed report:
  1. Bug Bounty

Reports Basics

Here are all possible states of reports

PreviousBlockchain protocolsNextPoints Guide

Last updated 1 month ago

Open report:

  • New - once a report has been submitted it receives a New state. At this stage it’s possible to delete a report, if you have changed your opinion.

  • In Review - The triage team starts the validation process of the submission.

  • Need More Info - if the triage team needs additional details for validation they ask for it. If we don’t hear back from you for more than 15 days, such report will be automatically closed as 'Not Applicable', but without reputation points deduction.

  • Triaged - once we approve the report as a valid security issue, we forward it to the client’s security team to assess its severity and recommend a fix.

  • Paid - the company paid for the valid report to the researcher

Closed report:

  • Resolved - the report was valid and was fixed.

  • Duplicate - the reported vulnerability has been reported before. In this case, vulnerabilities found on other platforms are also considered duplicates (even if they have not yet been fixed) and if the Company has provided evidence to the HackenProof Triage team that such a vulnerability was found on another platform.

  • Informative - the report was useful for the company but there is no need in immediate action or a fix.

  • Out of scope - the report was useful for the company but the issue is not in the focus of the program.

  • Not Applicable - the report was not valid or it’s not connected with the security of the application.

  • Spam - the report was not a valid security issue or didn’t have any useful information for the company.

  • Disclosed - the report is disclosed to the public.

Variations of states for Disclosed reports

The triage team can adjust the visibility of the report, it can be one of these:

  • Visible

  • Partially

  • Hidden

In a state of partial visibility, the team can choose what types of information to disclose:

  • Report title

  • Author name

  • Rewards

  • Comments

  • Severity

  • State

  • Participants

  • Creation date

  • Timeline

  • Target

  • Vulnerability details

  • Validation steps

  • Impact

  • Recommended fix

  • Additional information

  • Attachments