Validating Report
Last updated
Last updated
In this section, we will validate the incoming reports, determining if the reported vulnerabilities are legitimate or simply false positives.
Upon opening any vulnerability report, it will be presented in the following report format:
At the bottom, you will find the 'Action' section, where we will validate all incoming reports.
Here are the details of the Actions available.
Here’s a video tutorial on triaging and adding rewards to a report.
UPDATE STATUS
This action allows you to update the current status of report submissions.
SELECT STATUS:
DUPLICATE: Indicates that the vulnerability has already been reported.
NOT APPLICABLE: Used when the vulnerability or report is deemed invalid or not applicable.
TRIAGED: Signifies that the vulnerability is valid and has been accepted.
WON'T FIX: Indicates that the vulnerability poses an acceptable risk and will not be addressed.
Additional statuses become available only once the report has been marked as 'TRIAGED.'
CHANGE STATUS
UNRESOLVED: Indicates that the vulnerability has been accepted and assigned to a developer for resolution. At this stage, you can also add a reward for the report.
RESOLVED: Once the vulnerability has been fixed, the status can be updated to Resolved.
Duplicate submissions are common within the program, which can make them challenging to manage. However, you can easily handle duplicates by using the 'Search Vulnerability' option under Duplicate.
To Add a report as a duplicate:
CHANGE STATUS > DUPLICATE
Each vulnerability report will include a severity level based on the reporter's assessment, but it may need adjustment according to the customer's standards. This action allows you to modify the current severity of the report submission.
SELECT SEVERITY:
CRITICAL: Indicates a vulnerability with a severe impact on the customer's assets or business.
HIGH: Indicates a vulnerability with a significant impact on the customer's assets or business.
MODERATE: Indicates a vulnerability with a moderate impact on the customer's assets or business.
LOW: Indicates a vulnerability with a minimal impact on the customer's assets or business.
INFORMATIONAL: Represents a vulnerability posing an acceptable risk to the customer.
If you have another team member in your organization to validate the incoming reports, you can assign those reports to them.
If the reporter has submitted the vulnerability with an incorrect vulnerability type, you or the customer can adjust the vulnerability type using this action.
If the report title contains errors or differs slightly from the actual vulnerability, you or the customer can update or adjust the title using this action.
If the report description lacks sufficient information to validate the submission, you can add a 'Need More Info' flag to the report. This flag indicates that you are requesting the reporter to provide additional details, which will facilitate the validation process for the submission.
If the reporter submits spam reports with unnecessary comments, you can lock the report to prevent the reporter from making further comments.
Adding a reward to the report is straightforward; however, the report status must be 'UNRESOLVED' to proceed with the reward addition.
NEW > TRIAGED > UNRESOLVED > ADD REWARD
Since rewards are presented in ranges, you can adjust the reward amount based on the report's severity.
Enter your desired reward amount in the input field and click 'Submit.' After submitting, you will need to switch to the payment gateway to complete the transaction.
Currently, we only support payments through eSewa and Fonepay.
We plan to add more payment methods in the future.
After completing your payment, you will be redirected to the payment confirmation page.
You have now successfully completed the payment.
