False negatives

Last updated: Jun 30, 2026


Definition

A false negative (FN) is an erroneous report indicating that a vulnerability does not exist or is absent.

Specifically, Fluid Attacks considers false negatives as instances when it fails to report a vulnerability that was within the scope of its tests, and all the necessary inputs to reproduce this vulnerability were available.

False negatives are a serious problem in software development projects, as overlooked issues may be involved in leaks or successful cyberattacks.

False negative reporting process

In the Advanced plan

Fluid Attacks' solution offers very low rates of false negatives, as it tests systems comprehensively with multiple techniques. However, in the course of Advanced, your organization or another application security provider might find a vulnerability that Fluid Attacks did not flag in a software it had already assessed (i.e., a potential false negative). Subscribers to both the Essential and Advanced plans can submit false negative requests. Both parties shall adhere to the following protocol:

  1. Submit the FN request to your Fluid Attacks Engagement Manager or Sales Representative through any of the communication channels you typically use for your interactions.
  2. Fluid Attacks shall assess the level of urgency of your request, that is, whether or not active exploitation of the vulnerability is identified. If so, Fluid Attacks shall prioritize helping you contain the incident.
  3. The Engagement Manager shall give you the "False Negative Request" form.
  4. Fill out the form and send it to Fluid Attacks. If another application security provider reported the FN, please send Fluid Attacks the full report from that provider. If the report is not available as a single file, provide the complete set of results or findings shared by that provider. (Ideally, you should upload the report to the platform in the file set for the group that includes the affected software in its scope.)
  5. Fluid Attacks assigns a security analyst to thoroughly investigate the report.
  6. The analyst attempts to reproduce the vulnerability in a controlled environment. If reproducible, the analyst attempts to map the vulnerability to the codebase and determines whether it constitutes a false negative.
  7. Fluid Attacks communicates the investigation results via video call.

Accuracy SLA

A missed vulnerability confirmed through the protocol above does not count as a false negative toward the Accuracy SLA if any of the following apply:

  • The group is subscribed only to the Essential plan.

  • Fluid Attacks lacked the source code or the corresponding environment.

  • The environment was unpaired with the provided branch.

  • The environment was unstable for at least 80% of business days due to unsolved events.

  • The data required for continuous testing flows (e.g., credentials, input fields) was incomplete or unusable.

  • Login/Access requires client intervention on every sign-in (e.g., OTPs that only the client receives).

  • The vulnerability predates the addition of the repository to Fluid Attacks' testing, and no Health Check was performed, or the post-Health Check review period had not yet been completed.

  • The vulnerability's status changed from "Open" to "Closed" due to exclusions, deactivations, or removals.

  • The average monthly insertions per author exceed 8,000, calculated over a rolling two-year window counting backward from the date of the FN request.

  • The potential vulnerability was reported within the tolerable window of 90 calendar days after its date of injection via a commit to the branch registered for tests in the platform. For vulnerabilities associated with SCA, the vulnerability is only considered a false negative if at least 48 hours have elapsed since the CVE was published in any of the sources consulted by Fluid Attacks, as defined in "Vulnerability signature update".

  • The vulnerability was found in an unsupported technology.

  • The vulnerability was found in an application that the client does not own or is not authorized to submit for testing.

When none of the above conditions apply, a missed vulnerability is a confirmed false negative affecting the Accuracy SLA: Fluid Attacks had access to the code and environment, the vulnerability was present during the testing period, and Fluid Attacks did not identify it.

On this page