📋Reports Handbook

Overview

This handbook provides a comprehensive guide to understanding and managing reports within Trustline platform. It details the various states that reports can exist in, both when they are open and closed, and explains the significance of each state. The handbook also covers the severity ratings assigned to reports, helping to assess the impact of reported vulnerabilities. Whether you are a program manager, a triager, or a hacker, this guide will help you navigate the reporting process efficiently.

Open Report States 🟢

When reports haven't been acted on or resolved, they are in an open state. These are the Open report states:

State

Color

Detail

New

Purple

The report is in an unread state.

Under Program Review

Orange

The report has been reviewed by Trustline triage and is now pending review from the program. This only shows for programs that use Trustline triage services.

Accepted

Green

The report is evaluated but hasn't been resolved. It is in the state of being fixed.

Retesting

Yellow

The vulnerability is in the process of being retested.

Needs More Info

Light Blue

More information is needed from the hacker about the vulnerability.

Closed Report States 🔴

When a report is complete, and no further dialogue with the team, triager, or hacker is needed, it's changed into a closed state. Closed states change a hacker's reputation.

These are the Closed report states:

State

Color

Detail

Resolved

Dark Green

The report is valid and no further dialogue with the hacker is needed.

Informative

Grey

The report contains useful information but doesn't warrant immediate action or a fix.

Examples of informative reports include:

• Notifications of broken links • The issue is not consistently reproducible

• You report a subdomain takeover you encounter but did not execute it yourself

• The program has decided to accept the risk A program can consider providing an alternative risk assessment or other mitigating factors. Public disclosure is available with mutual agreement.

Duplicate

Dark Blue

This issue has already been reported. Programs can build trust by attributing the issue to its original discoverer and linking it to a previous report or including other details about its discovery. Public disclosure isn't available for this state.

Note: If a hacker files a duplicate of a public report, their reputation will go down.

Not Applicable

Red

The report doesn't contain a valid issue and has no security implications. Security teams should describe why the report was invalid, so the hacker can improve their hacking skills.

Spam

Burgundy

The report is invalid because a legitimate security vulnerability isn't described. The report may be incomprehensible, abusive, and/or exhibit harassment. Reports that sell any sort of product or service will also be marked as Spam.

Reports Severity

Reports are assigned a severity rating to indicate how severe the vulnerability is. On Trustline, severity is particularly useful for multiple things including structuring bounty ranges. The severity rating can be:

Severity

Color

None

Dark Blue

Low

Dark Green

Medium

Orange

High

Red

Critical

Burgundy

Last updated 12 months ago