Here, we will validate the incoming reports. We will check if these reported vulnerabilities are actually a vulnerability or just a false positive.

Once you open any of the vulnerability reports, it will open with a report format

As the bottom, you can see 'Action' section, here we will validate all incoming reports.

Here are the details of those Actions.

Here's a video tutorial on how to triage and add reward for the report.

CHANGE STATUS

Using this action, you can change the current report status of submissions

SELECT STATUS:

1. DUPLICATE: If the vulnerability has been reported already.

2. NOT APPLICABLE: If the vulnerability or report is not applicable or invalid.

3. TRIAGED: If the vulnerability is valid and accepted.

4. WON'T FIX: If the vulnerability poses an acceptable risk.

1. There are few other STATUS which is only available after the report has been 'TRIAGED'

CHANGE STATUS

UNRESOLVED: If the vulnerability has been accepted and has been assigned to the developer for the fix. After this status, you will be able to add a reward for the report.

RESOLVED: Once the reported vulnerability has been fixed you can change the vulnerability status to fixed.

MANAGING DUPLICATE

You will encounter many duplicate submission/report at the program so it will be hard to manage dupldate but you can do it easily by using the search vulnerability at Duplicate.

To Add a report to duplicate:

CHANGE STATUS > DUPLICATE

CHANGE SEVERITY

You will notice that all the vulnerability report will contain some sort of vulnerability severity as per the report prespective but we need to set to the correct position on the basis of the customers. Using this action, you can change the current report severity of the submission

SELECT SEVERITY:

1. CRITICAL: If the vulnerability has a critical impact on the customers assets/business.

2. HIGH: If the vulnerability has a high impact on the customers assets/business.

3. MODERATE: If the vulnerability has a moderate impact on the customer assets/business.

4. LOW: If the vulnerability low impact on the customer assets/business.

5. INFORMATIONAL: If the vulnerability has an acceptable risk for the customer.

ASSIGN TO

If you have another team member at your organization to validate those incoming reports then you can assign reports to your team member.

UPDATE VULNERABILITY TYPE

If the reporter has reported the vulnerability with unlike vulnerability type then trigger or customer can adjust the vulnerability type using this action.

UPDATE BUG TITLE

if the report has reported the report title with some error or bit different then the actual vulnerability then trigger or customer can update or adjust the vulnerability title using this action.

NEED MORE INFO

If the report description doesn't meet the information to validate the subimssion then you can add 'Need More Info' flag to the report which mean you are request reporter to add more information to the report which will be easy to validate the submission.

LOCK

If the reporter spam report with the unnecessary comments then you can lock the report and disable reporter from further commenting on the report.

ADD REWARD

Adding reward to the report is very easy but to add a reward, report status should be 'UNRESOLVED'

NEW > TRIAGED > UNRESOLVED > ADD REWARD

Since reward are presented with ranges, so you can adjust the reward range according to the report severity

Add your reward amount on input and click on 'Submit'. Once you click on it, you have to change payment gateway to complete the payment.

Currently, we only support eSewa and Fonepay.

Once you make your payment, you will be redirected to the payment complete page.

And now, you have successfully completed the payment.