Vulnerability releasing
Once new types of vulnerabilities are submitted to the platform, or new vulnerabilities are added to the already reported types, they are initially in a draft status. With this status, these vulnerabilities are only accessible to Fluid Attacks staff with the appropriate internal roles.
Drafts undergo exhaustive peer review, in which the following types of observation are possible:
- Writing: Corrections needed for spelling, grammar, clarity of description or additional vulnerability details
- Evidence: Addition or modification of supporting evidence required
- Scoring: Issues with CVSS scoring, including the need to revalue vector variables
- Consistency: Inconsistencies between elements, e.g., a “Low” in the CVSS Privileges Required (PR) metric while the Threat details mention an “anonymous user” as a possible attacker
- Omission: Missing information
- Naming: Recategorization under a different vulnerability type suggested
- False positive: Report identified as a false positive
- Duplicated: The vulnerability has already been reported under another vulnerability type
- Other: Reasons for rejection that do not fall into the above categories
When a “Naming,” “False positive” or “Duplicated” observation is made, the cycle ends with the draft’s deletion. The other types of observation cause the draft status change to “rejected.” The reporting pentester must then fix the draft accordingly and resubmit it for a new validation cycle.
Pentesters’ vulnerability reports are reviewed until there are no further observations, taking as many review cycles as necessary. When there are no further observations, the reported vulnerability location status is updated to “Vulnerable” and released to the client.