Reports Basics

Here are all possible states of reports

Open report:

  • New - once a report has been submitted it receives a New state. At this stage it’s possible to delete a report, if you have changed your opinion.
  • In Review - The triage team starts the validation process of the submission.
  • Need More Info - if the triage team needs additional details for validation they ask for it. If we don’t hear back from you for more than 30 days, such report will be automatically closed.
  • Triaged - once we approve the report, it goes forward to the client’s security team to fix the vulnerability.
  • Paid - the company paid for the valid report to the researcher

Closed report:

  • Resolved - the report was valid and was fixed.
  • Duplicate - the reported vulnerability has been reported before.
  • Informative - the report was useful for the company but there is no need in immediate action or a fix.
  • Out of scope - the report was useful for the company but the issue is not in the focus of the program.
  • Not Applicable - the report was not valid or it’s not connected with the security of the application.
  • Spam - the report was not a valid security issue or didn’t have any useful information for the company.
  • Disclosed - the report is disclosed to the public.
Variations of states for Disclosed reports
The triage team can adjust the visibility of the report, it can be one of these:
  • Visible
  • Partially
  • Hidden
In a state of partial visibility, the team can choose what types of information to disclose:
  • Report title
  • Author name
  • Rewards
  • Comments
  • Severity
  • State
  • Participants
  • Creation date
  • Timeline
  • Target
  • Vulnerability details
  • Validation steps
  • Impact
  • Recommended fix
  • Additional information
  • Attachments