Understanding Vulnerability Triage and Resolution
Last updated July 24, 2024
After you submit a vulnerability report on HackerOne, it enters a process of review, validation, and resolution. Understanding this process, known as vulnerability triage and resolution, will help you navigate the journey of your report and understand how it contributes to the overall security of the program.
The Triage and Resolution Process:
- Initial Review and Validation: The program team begins by reviewing your report and its associated PoC. They verify the accuracy of the information provided and determine if the reported issue is a legitimate vulnerability.
- Triage and Prioritization: The program team assesses the severity and potential impact of the vulnerability. This involves considering factors like the exploitability, the scope of impact, and the potential for harm. Vulnerabilities are then prioritized based on their severity and potential impact.
- Communication and Feedback: The program team will communicate with you throughout the triage process, providing updates on the status of your report. This may involve requesting additional information, clarifying details, or providing feedback on your findings.
- Resolution and Remediation: Once a vulnerability is validated, the program team will work with the responsible parties to develop and implement a fix or remediation plan. This may involve patching software, updating configurations, or implementing security controls.
- Disclosure and Recognition: Upon successful resolution of the vulnerability, the program team may publicly disclose the issue, crediting you for your discovery. This can include publishing a security advisory, providing a bug bounty reward, or offering other forms of recognition.
Understanding Reporting Statuses:
- New: Your report is newly submitted and waiting to be reviewed by the program team.
- Triaged: The program team has reviewed your report, validated the vulnerability, and assigned a severity level.
- In Progress: The program team is working with the responsible parties to develop and implement a fix or remediation plan.
- Resolved: The vulnerability has been addressed, and the program team has confirmed that the fix is in place.
- Reopened: The vulnerability has been re-opened due to a failed fix, new information, or a recurrence of the issue.
Was this article helpful?