Pentest Reports' Statuses
A pentest vulnerability report goes through multiple stages of processing, involving several stakeholders who may need to take action depending on the report’s status.
The key stakeholders include:
Pentesters who submitted the report
The Lead Pentester who is able to generate the final report
The Organisation (BU Owner, BU Manager, Program Manager), which conducts the pentest and change the reports' statuses
At the end of the workflow, reports will either be deemed as Valid or Invalid:
ℹ️To learn more about vulnerability reports structure, click here.
Statuses' Definition
Invalid Reports
“Duplicate”: the vulnerability exists but has already been reported, either internally, within a Bug Bounty program, or a Pentest Program. When you select this option, you can select another report ID or select “Internally tracked”.
“Not Applicable” or “Invalid”: the report does not demonstrate a vulnerability.
“Out of Scope”: the vulnerability exists but is outside of the program’s scopes.
“Spam”: the report is not relevant, does not contain a PoC, or a Pentester submitted the same one several times.
ℹ️ Spam should not be used on a regular basis. It should be only used in rare occasion as it could be considered quite extreme.
“RTFS” (Read The Fine Scope): the report does not follow the program rules, qualifying & non qualifying vulnerabilities.
Examples:
A captcha bypass has been defined as “Non qualifying vulnerability”. A report with such vulnerability will be closed as “RTFS”.
A vulnerability can be found, but out of the program’s scopes. The report will be closed as “Out of scope”.
Valid Reports
“Won’t fix”: the vulnerability exists but the Program Managers has indicated that a patch will not be deployed.
Example: the cost of remediation is too high for the organisation and the risk has been accepted.
“Informative”: the report shows a potential issue, but not impactful enough to be fixed.
“Accepted”: the report has been accepted and the patch is upcoming.
“Resolved”: the vulnerability has been fixed and retested.
ℹ️ A report might be valid but closed as “Informative” because of the minor impact.
A report cannot be set as “Duplicate” if it has been set as “Resolved”.
ℹ️ Learn more about the workflow of vulnerability reports with this dedicated article.
Where can I see the current Report & statuses?
Go to the “Vulnerability Center”
This list displays, on the right, a “Status” column that can be filtered to only show reports of a given status.
This status is also shown in your Vulnerability Reports:
Open the Vulnerability Report of your choice
Check the right-side menu for information on the different statuses
Find the timeline of statuses' modifications within the comments of the reports.
How does each report status appear in the final report ?
Synthesis of findings
For each scope, the final report describes the distribution of vulnerabilities by bug types and severity, as well as a comprehensive list sorted by CVSS.
⚠️ Reports must be marked as “resolved” to be displayed as “Fixed” in the final report.
Detailed reports
Each report, together with its technical details and the bug description, is detailed in a specific appendix of the final report.
⚠️ Even if a pentester discards a submitted report, it won’t be completely removed from the vulnerability center and will appear in the final report as an unfixed vulnerability. Therefore, it is recommended to fully edit a report with a new one, rather than discarding the report and creating a new one.
What happens after the pentest campaign is stopped?
Organisations can continue to manage their pentest reports even after the campaign has ended. Send comments to your team and pentesters, change statuses, and ask for fix for submitted reports to remediate all vulnerabilities.
⚠️ When the pentest campaign stops, even if new reports are resolved, the final report already generated, can no longer be modified.
To know more about final report generation, click here.