A vulnerability is anything that represents a security risk (Integrity, Availability, Confidentiality, Non-repudiation) to the application.
Fluid Attacks uses
(Common Vulnerability Scoring System),
a “standardized framework
used to rate the severity
of security vulnerabilities in software.”
It gives us a quantitative measure
0 being the lowest level of risk
10 the highest
and most critical level of risk,
based on the qualitative characteristics
of a vulnerability.
Continuous Hacking has an interactive reporting platform,
our Attack Surface Manager (
ASM gives all project stakeholders
access to details concerning vulnerabilities
(We have the source code of all our
After a report,
the main objective for developers
is to eliminate the vulnerability.
a client company’s developers
can access first-hand detailed information
regarding a vulnerability
in order to plan
and execute corrective measures
to remove it from the application.
any user with access to the project
can request verification
of a remediated vulnerability.
A request for verification
that a remediated vulnerability
no longer poses a risk
must be accompanied
by notification from you
that the planned remediation
has been executed.
We then perform a closing verification
to confirm the effectiveness
of the remediation.
Results of the closing verification
are then forwarded
to the project team by email.
The Squad plan offers unlimited closing verifications.
One of the Squad plan's objectives
is to maintain clear
and effortless communication
between all project members.
This is accomplished
when you notify us
because the message goes through
and by doing so,
the entire project team is notified.
ASM there is a comment section.
A client company can post its reasons
for believing a vulnerability finding
is not valid.
Our experts and all other project members
can then interface and discuss
the relative merits
of the vulnerability finding
as well as the validity of it
as a security risk,
and a final determination can be made.
this decision is made entirely by the client,
not by us,
and the client assumes all responsibility
for possible negative impacts
under the treatment option,
a client company indicates
whether it will remediate
or assume responsibility
for an identified vulnerability.
include information regarding all vulnerabilities,
along with whether vulnerabilities
were remediated or not.
will include all the information
with nothing excluded.
Information is only kept
for the duration of the contract.
Once the contract has ended,
information is kept for
7 business days
and then deleted
from all our information systems.
ASM uses an automated erasing process,
removing all the project information
from our systems
and generating a
Proof of Delivery