False positives
Last updated: Mar 16, 2026
Definition
A false positive is an erroneous alert indicating that a vulnerability is present. False positives are a serious problem in software development projects, as investigating them may take longer than looking into correct alerts, and developers’ morale may be affected by changes in their priorities in favor of these alerts.
Report false positives
Fluid Attacks’ Continuous Hacking offers very low rates of false positives, for example, having achieved a false positive rate of 0% in the OWASP Benchmark Project. However, when your organization determines that a report is a false positive or that a vulnerability does not represent any risk, you can request Fluid Attacks’ evaluation of the case from the platform. This capability is called Request zero risk. To learn how to use it, refer to False positive requests .
The following sections describe when false positive requests are accepted and when rejected.
Reasons to accept false positive requests
- Overlooked context: Upon reviewing the context of the vulnerability, an inherent mitigation was identified that had not been previously considered.
- CVE expiration: The reported vulnerability is associated with an expired Common Vulnerabilities and Exposures (CVE) entry.
- Misreport: The report is erroneous or the vulnerability does not represent any risk.
- Report duplication: The report is a duplicate.
Reasons to reject false positive requests
- Obfuscation by countermeasure: The vulnerability exists but is obfuscated or mitigated by a countermeasure (e.g., a WAF).
- Reference to remediation: The assertion that there is no remediation available for the identified vulnerability, or that the remediation is too complex, is not a valid reason to dismiss an existing vulnerability.
- Reference to exploitability: Low exploitability or lack thereof is not a valid reason to dismiss an existing vulnerability.
- Reference to scope: Whether the report falls outside the intended scope of testing (i.e., it should be reported in a group where it is within the scope) does not mean that it is a false positive or does not represent risk.
- Incorrect procedure: A false positive request was submitted when the correct procedure would have been to request a reattack .
- Inactivity: Discussions with the client about the report fail to progress because the client does not provide additional details, leading to the rejection of the false positive request.
Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .