[CORE] New Host field in the report metadata
Key changes
A new "Host" field is now displayed in all vulnerability reports' metadata.
ℹ️ Notes:
A new "Host" column is now available in the Vulnerability Center to filter the results on specific hosts.
This host field is also available in the YesWeHack API and Bug Tracker integrations.
Retro-activity: this new host field will be filled in on every existing report, without overriding existing information.
Impact
This new field gives organisations better visibility on their vulnerabilities and simplifies report management.
Audience
All organisations with reports in their vulnerability center.
Usage
ℹ️ Notes:
The Host field of Autonomous Pentest findings cannot be edited.
Go to the Vulnerability Center
Open a given report
ℹ️ The report title now includes the host instead of the scope.
Find the Host field below the Scope field
Click on “View Host” to open the corresponding host page
ℹ️ This button is only available to our Autonomous Pentest and Continuous pentesting customers.
If the Host doesn’t exist on your Attack Surface, you can add it as a Primary Asset to continuously monitor it.
[CORE] Automated Metadata Completion
Key changes
Report metadata is critical for organisations to accurately assess vulnerabilities and their impact.
To accelerate report processing and improve consistency, we're introducing Automated Metadata Completion, which suggests or automatically populates the fields.
These suggestions are applied to the following fields:
Bug Type
Endpoint
Host
Vulnerable part
Parameter
Payload
Impact
Metadata suggestions eliminate manual data entry, reducing the time needed to process vulnerability reports.
Audience
All organisations with vulnerability reports in their Vulnerability Center.
Usage
ℹ️ Notes:
The Metadata Completion feature is enabled by default and can't be applied to imported reports.
Example:
Go to the Vulnerability Center
Click on a choosen vulnerability report
Click on “Edit” in the report metadata section
Find all metadata suggestions
Apply suggestions one by one or click on “Apply all” at the top right corner
ℹ️ Notes:
This example uses the "On-demand" configuration. To have metadata populated automatically on every report, select "Auto" in the configuration panel.
[CORE] Configurable Severity Threshold for Assessment Notifications
Key changes
Organisations can now set a minimum severity threshold for triage notifications, so teams only get alerted on assessments that meet their criteria.
Impact
Organisations can now manage triage assessment according to their priority levels.
Audience
All users of the YesWeHack platform with triaged reports.
Usage
Go to your “User Settings”
Click on “Notifications”
Check the email box for triage assessment notifications
Define the severity level
ℹ️ By default, the severity level is set to None, meaning that every assessment will trigger a notification.
[ANPT/CPT] End-of-life statuses for exposed Technologies
Key changes
The YesWeHack platform already provides organisations with a list of technologies identified in their primary assets and hosts, along with an overview of potential CVEs affecting these technologies. New icons now alert organisations when a technology is outdated or soon-to-be outdated.
Impact
Organisations can now proactively manage their exposed technologies by tracking product lifecycles and identifying end-of-life statuses directly within the platform.
Audience
All Autonomous Pentest (ANPT) and Continuous Pentesting (CPT) customers with exposed technologies.
Usage
ℹ️ These new icons are displayed in the different Attack Surface tabs (e.g., Hosts, Technologies) and on the CVE Alert page. Learn more here.
Go to the “Attack surface tab”
Click on “Hosts” in the left-side menu
Select a host
Go to the “technologies” tab
⬆️[ANPT] Automatic confirmation of detected issues
Key changes
Organisations can now enable automatic confirmation of detected issues, turning them into Vulnerability Reports as soon as a detection occurs.
This automated confirmation can be set by priority levels.
Impact
With automatic confirmation, organisations streamline their handling of Detected Issues by removing the confirmation step.
Audience
All Autonomous Pentest (ANPT) customers.
Usage
ℹ️ This feature is configured at the Business Unit level.
Go to your “Admin Panel”
Click on “Attack Surface > Security Check” in the left-side menu
ℹ️ Security Check must be enabled to access this feature. Learn more here.
Click on “Advanced settings”
Enable automatic confirmation
Select a priority level
Click on “Save”
[ANPT/CPT] Export technologies instances
Key changes
Organisations can now export information about technologies (e.g., host, version, last reach date, and report ID) from the YesWeHack platform. The export will take into account all selected filters.
Audience
All Autonomous Pentest (ANPT) and Continuous Pentesting (CPT) customers with exposed technologies
Usage
Go to the “Attack Surface” tab
Click on “Technologies” in the left-side menu
Click on “Export”
Select the format: CSV, XLS or JSON
Select a Business Unit
Check the box to apply filters (Optional)
Click on “Export”
ℹ️ All exported files appear in the Export History.
[PTM] Report transfer between programs
Key changes
Organisations can now transfer reports from one Pentest program to another, avoiding having to recreate them manually.
Audience
All Pentest Management customers.
Usage
ℹ️ Report transfer must be enabled in the Admin platform to access this feature. Please contact your dedicated Customer Success Manager for more information.
Select a report from a Pentest program.
Click on “Transfer report”
ℹ️ You need to start at least one other Pentest program to see this button.
Select the program where you want to transfer the report
Click on “Transfer”
⬆️[BugTrackers] Synchronisation based on Program Type
ℹ️ Find more information about the YesWeHack BugTracker here.
Key changes
Organisations can now filter which reports to synchronise with their Bug Trackers based on the program types (e.g., Bug Bounty, Pentest) they belong to.
Impact
Organisations no longer have to configure a tracker for each program they want to track.
Audience
All organisations using the YesWeHack to Bug Tracker client.
Usage
⚠️ For current users of the YesWeHack Bug Tracker: it is not possible to revert changes once the configuration has been updated.
Go to your YesWeHack Bug Tracker configuration panel
⚠️ Please note that if you have several configurations for the same bug tracker projects, they must all use the same KEY. Modifying the KEY value is not recommended, as this will result in all your reports being duplicated within the bug tracker.
When creating a new configuration, in the YesWeHack section > Programs section (Note: The previous steps before "Set up YesWeHack tracker" remain unchanged):
Enter a “criteria title” (optional)
Indicate “Program slugs” (Optional). (Note: Write “ * ” to include all programs of a program type.)
ℹ️ This field is now optional, but for organisations that keep their current configuration, there will be no impact.
And/or check each box of the program type options you want to track. In our case, select “Bug Bounty” to track all Bug Bounty programs.
TIPS:
If you select all program types, the tracker will include all programs within your Business Unit.
To track one Bug Bounty program and one Pentest program, enter the program slugs without selecting a program type (ie. “old” configuration).
Personal access token: It is not possible to edit an existing PAT (Personal Access Token); it can only be revoked. However, you can create a multi-role PAT to grant access to several programs (e.g., programs 1, 2, and 3). A bug tracker at the Business Unit level can also be used in this case.
[MISC]
[CORE] The limit of character for the program description and program account access fields has been increased.
[CORE] The global search bar in the Vulnerability Center now supports CVE ID queries, returning all vulnerability reports associated with that CVE.
[CORE] Emails related to the same report are now automatically grouped into a single thread in your inbox, making it easier to view the full history.
[BugTrackers] All reports of a given program can now be grouped automatically under the same JIRA epic.
[ANPT] In the metadata, organisations can no longer edit the app fingerprint related to outdated technologies and potential CVE reports.
[ANPT] Reports generated through the Autonomous Pentest solution are now automatically tagged by their source of creation, enabling organisations to better track these vulnerability reports (i.e., detected_issue, potential_cve, outdated_technology)
[ANPT] A new message is displayed to explain the impact of excluding an asset (ie., "Excluded assets are hidden from the platform and are not included in discovery or security check scans.")
[ANPT] Two “Go to” buttons (ie., “Go to the report” and “Go to the technology”) are now available when clicking on “Hosts tab > selected Host > Technologies”.
[ANPT] Organisations can now filter Techno’s potential CVE by status. (Note: By default, the status is filtered to “pending” and “confirmed”)
[HUNTER] New notifications about programs (i.e., enabled, disabled, updated) are available to inform hunters of any program changes.
[HUNTER] A new “Disabled” tag is now displayed on programs to help hunters understand why they cannot submit a report.