Help Center

What are the states of a report?

All reports are either ‘Open’ or ‘Closed’ and can go through a variety of states throughout their life.

Open Report States

Pre-submission

(only with Human-Augemented Signal)

A report starts in Pre-submission when it has been flagged as potentially invalid. A HackerOne security analyst will first review the report before it's sent to the program. 

This report state is only applicable when Human-Augmented Signal is enabled for the program.

New

Reports start in this unread state.

Triaged

A report has been triaged when it has been evaluated but not concluded. A report that is valid that is being fixed is in Triaged state.

Needs More Info

More information is needed from the hacker regarding the vulnerability. Reports that are in the Needs More Info state for more than 30 days will automatically close and won't have a negative impact on the hacker's reputation. 

Hacker reputation is impacted when the team managing the program changes the report status, and reputation is not impacted when the hacker changes the report status themselves.

A hacker can self-close a report until it’s marked as triaged. Self closed reports do not count towards signal calculation. 

  • e.g. If a report has not yet been closed or triaged, and the researcher marks their own report as N/A, it will not harm their reputation.

When a report is complete, and no further dialogue with the team, triager, or reporter are needed, it is placed into a closed state.

Closed Report States

Hacker Reputation

Resolved

This report was valid and no further dialogue with the hacker is needed. This is the typical state for bugs that were valid, and the first reported.

Increase

+7

Informative

This report contained useful information but did not warrant an immediate action or a fix. Security teams can consider providing an alternative risk assessment or other mitigating factors. Public disclosure is available with mutual agreement.

No change

Duplicate

This issue has been previously reported (the "original" report). Security teams can build trust by attributing the issue to its original discoverer and linking to a previous report or include other details of its discovery. Public disclosure is not available.

Note that if a hacker files a duplicate of a public report, their Reputation will go down.

Based on original report resolution:

Resolved: +2

Not Applicable: -5

Informative: 0

Not Applicable

This was not a valid issue, or it had no security implications. Security teams should describe why the report was invalid, ineligible, or irrelevant so the researcher can improve.

Decrease

- 5

Spam

This is an invalid report in which the reporter did not make a legitimate attempt to describe a security issue. Security teams should inform HackerOne so additional restrictions can be applied.

Decrease

- 10

Have more questions? Submit a request
Powered by Zendesk