|
| 1 | +--- |
| 2 | +title: "Report States" |
| 3 | +path: "/hackers/report-states" |
| 4 | +--- |
| 5 | +All reports are either Open or Closed and can be changed to a variety of different states. |
| 6 | + |
| 7 | +### Open Report States |
| 8 | + |
| 9 | +When reports haven't been acted on or resolved, they are in an open state. |
| 10 | +These are the Open report states: |
| 11 | + |
| 12 | +State | Detail |
| 13 | +----- | ------ |
| 14 | +Pre-submission | This report state is only applicable when Human-Augmented Signal is enabled for the program. The report starts in the pre-submission state when it has been flagged as potentially invalid. A HackerOne security analyst will first review the report before it's sent to the program. |
| 15 | +New | The report is in an unread state. |
| 16 | +Triaged | The report is evaluated but hasn't been resolved. It is in the state of being fixed. |
| 17 | +Needs More Info | More information is needed from the hacker about the vulnerability. Reports that are in the *Needs More Info* state for more than 30 days will automatically close and won't have a negative impact on the hacker's reputation. |
| 18 | + |
| 19 | +There are impacts to hacker reputation when the program changes the report state. Reputation isn't impacted when the hacker changes the report state themselves. They can self-close a report until it's marked as triaged. |
| 20 | + |
| 21 | +### Closed Report States |
| 22 | + |
| 23 | +When a report is complete, and no further dialogue with the team, triager, or hacker is needed, it's changed into a closed state. Closed states change a hacker's reputation. |
| 24 | + |
| 25 | +These are the Closed report states: |
| 26 | + |
| 27 | +State | Detail | Change to Hacker Reputation |
| 28 | +----- | ------ | ---------------------------- |
| 29 | +Resolved | The report is valid and no further dialoge is with the hacker is needed. | Increase +7 points |
| 30 | +Informative | The report contains useful information but doesn't warrant an immediate action or a fix. Your program can consider providing an alternative risk assessment or other mitigating factors, and public disclosure is available with mutual agreement. | No change |
| 31 | +Duplicate | This issue has already been reported. Programs can build trust by attributing the issue to its original discovered and linking it to a previous report or include other details about its' discovery. Public disclosure is not available for this state. <br>*Note: If a hacker files a duplicate or public report, their reputation will go down.* | If the hacker submits the original report:<br>*Resolved*: +2 points<br><br><br>*Not Applicable*: -5 points<br><br>*Informative*: 0 |
| 32 | +Not Applicable | The report doesn't contain a valid issue and has no security implications. Security teams should describe why the report was invalid so the hacker can improve. | Decrease -5 points |
| 33 | +Spam | The report is invalid because the hacker didn't describe a legitimate security vulnerability. You should notify HackerOne so additional restrictions can be applied to to the hacker. | Decrease -10 points |
0 commit comments