Skip to main content


What is a vulnerability?

A vulnerability is anything that represents a security risk (integrity, availability, confidentiality, non-repudiation) for the application.

How is the score of a vulnerability calculated?

Fluid Attacks uses CVSS (Common Vulnerability Scoring System), a "standardized framework used to rate the severity of security vulnerabilities in software." It gives us a quantitative measure ranging from 0 to 10, 0 being the lowest level of risk and 10 the highest and most critical level of risk, based on the qualitative characteristics of a vulnerability.

Do I get all the information about my vulnerabilities?

Continuous Hacking has an interactive reporting platform, our Attack Surface Manager (ASM). ASM gives all project stakeholders access to details concerning vulnerabilities reported by Fluid Attacks. (We have the source code of all our products in our public repository.)

What happens when a vulnerability is reported?

After a report, the main objective for developers is to eliminate the vulnerability. Through ASM, a client company's developers can access detailed first-hand information regarding a vulnerability in order to plan and execute corrective measures to remove it from the application.

What happens when a vulnerability is remediated?

Through ASM, any user with access to the project can request verification of a remediated vulnerability. A request for verification that a remediated vulnerability no longer poses a risk must be accompanied by notification from you that the planned remediation has been executed. We then perform a closing verification to confirm the effectiveness of the remediation. Results of the closing verification are then forwarded to the project team by email.

How many closing verifications are included in the Squad Plan?

The Squad Plan offers unlimited closing verifications.

If you can access my repo, why notify you about a remediated vulnerability?

One of the Squad Plan's objectives is to maintain clear and effortless communication between all project members. This is accomplished when you notify us because the message goes through ASM and by doing so, the entire project team is notified.

What happens if I do not consider something a vulnerability?

Within ASM, there is a comment section. A client company can post its reasons for believing a vulnerability finding is not valid. Our experts and all other project members can then interface and discuss the relative merits of the vulnerability finding as well as its validity as a security risk, in order to make a final decision.

Do all reported vulnerabilities have to be remediated?

No. However, this decision is made entirely by the client, not by us, and the client assumes all responsibility for possible negative impacts of non-remediation. In ASM, under the treatment option, a client company indicates whether it will remediate or assume responsibility for an identified vulnerability.

If a client does not remediate a vulnerability, is it excluded from ASM?

No. Reports and ASM include information regarding all vulnerabilities, along with whether vulnerabilities were remediated or not.

Do you keep information regarding the discovered vulnerabilities?

Information is only kept for the duration of the contract. Once the contract has ended, information is kept for seven business days and then deleted from all our information systems.

How will our data be erased?

ASM uses an automated erasing process, removing all the project information from our systems and generating a Proof of Delivery signed via Docusign.