Skip to main content

Vulnerabilities

What is a vulnerability?#

A vulnerability is anything that represents a security risk (Integrity, Availability, Confidentiality, Non-repudiation) to the application.

How is the score of a vulnerability calculated?#

Fluid Attacks uses CVSS (Common Vulnerability Scoring System), a “standardized framework used to rate the severity of security vulnerabilities in software.” It gives us a quantitative measure ranging from 0 to 10, 0 being the lowest level of risk and 10 the highest and most critical level of risk, based on the qualitative characteristics of a vulnerability.

Do I get all the information about my vulnerabilities?#

Continuous Hacking has an interactive reporting platform, our Attack Surface Manager (ASM). ASM gives all project stakeholders access to details concerning vulnerabilities reported by Fluid Attacks. (We have the source code of all our products in our public repository.)

What happens when a vulnerability is reported?#

After a report, the main objective for developers is to eliminate the vulnerability. Through ASM, a client company’s developers can access first-hand detailed information regarding a vulnerability in order to plan and execute corrective measures to remove it from the application.

What happens when a vulnerability is remediated?#

Through ASM, any user with access to the project can request verification of a remediated vulnerability. A request for verification that a remediated vulnerability no longer poses a risk must be accompanied by notification from you that the planned remediation has been executed. We then perform a closing verification to confirm the effectiveness of the remediation. Results of the closing verification are then forwarded to the project team by email.

How many closing verifications are included in the Squad plan?#

The Squad plan offers unlimited closing verifications.

If you can access my repo, why notify you about a remediated vulnerability?#

One of the Squad plan's objectives is to maintain clear and effortless communication between all project members. This is accomplished when you notify us because the message goes through ASM and by doing so, the entire project team is notified.

What happens if I do not consider something a vulnerability?#

Within ASM there is a comment section. A client company can post its reasons for believing a vulnerability finding is not valid. Our experts and all other project members can then interface and discuss the relative merits of the vulnerability finding as well as the validity of it as a security risk, and a final determination can be made.

Do all reported vulnerabilities have to be remediated?#

No. However, this decision is made entirely by the client, not by us, and the client assumes all responsibility for possible negative impacts of non-remediation. In ASM, under the treatment option, a client company indicates whether it will remediate or assume responsibility for an identified vulnerability.

If a client does not remediate a vulnerability, is it excluded from ASM?#

No. Reports and ASM include information regarding all vulnerabilities, along with whether vulnerabilities were remediated or not. Reports and ASM will include all the information with nothing excluded.

Do you keep information regarding the vulnerabilities found?#

Information is only kept for the duration of the contract. Once the contract has ended, information is kept for 7 business days and then deleted from all our information systems.

How will our data be erased?#

ASM uses an automated erasing process, removing all the project information from our systems and generating a Proof of Delivery signed via Docusign.