Understanding Vulnerability Triage and Reporting Status
Last updated July 24, 2024
After you submit a vulnerability report on HackerOne, it enters a process of review, validation, and resolution. Understanding the different stages and reporting statuses associated with this process will help you navigate the journey of your report, track its progress, and understand the actions taken by the program team.
The Triage and Resolution Process:
- Initial Review and Validation: The program team first reviews your report and its associated PoC to confirm that it's a legitimate vulnerability. This stage focuses on verifying the accuracy of the information provided and ensuring the issue meets the program's criteria.
- Triage and Prioritization: The program team analyzes the severity and potential impact of the vulnerability. This involves considering factors like the exploitability, the scope of impact, and the potential for harm. Vulnerabilities are then prioritized based on their severity and potential impact.
- Communication and Feedback: During the triage process, the program team will communicate with you, providing updates on the status of your report. This may involve requesting additional information, clarifying details, or providing feedback on your findings.
- Resolution and Remediation: Once a vulnerability is validated, the program team works with the responsible parties to develop and implement a fix or remediation plan. This may involve patching software, updating configurations, or implementing security controls.
- Disclosure and Recognition: Upon successful resolution, the program team may publicly disclose the issue, crediting you for your discovery. This can include publishing a security advisory, providing a bug bounty reward, or offering other forms of recognition.
Understanding Reporting Statuses:
- New: Your report has been submitted and is awaiting initial review by the program team.
- Triaged: The program team has reviewed your report, validated the vulnerability, assigned a severity level, and determined the next steps.
- In Progress: The program team is actively working with the responsible parties to develop and implement a fix or remediation plan.
- Resolved: The vulnerability has been addressed, and the program team has confirmed the fix is in place.
- Reopened: The vulnerability has been re-opened due to a failed fix, new information, or a recurrence of the issue.
Was this article helpful?