The OpenCIRT vulnerability notification flow has been designed to guarantee that impactful reports get delivered quickly in the right hands. There are the report statuses you may see and what do they mean:
1 – Pending
Once a vulnerability has been submitted via our Vulnerability Report Form, it automatically goes in “pending” status, waiting for our triage team to review it.
2 – Triage
When our team starts reviewing the vulnerability, the report goes in “triage” status. Please note that we not only make sure the vulnerability is replicable but also that the report is compliant with our Acceptable Hacking Policy and it is impactful enough to be processed by OpenCIRT. As our service is free, we prioritize reports with the highest impact.
3 – Valid / Invalid
After our internal review, every report goes in a “valid” or “invalid” state, to let the hacker know the outcome of our triage work. At this stage, the company has not been notified yet.
4 – Company Notified
If the report is valid, the involved company/vendor gets notified about it and the report goes in “company notified” status. We do our research to try to notify the most appropriate address, and we do not disclose any detail but a direct link to the report. In order to view the report, the company/vendor must agree to our Terms of Service.
5 – Company Processing
If a company acknowledges viewing the vulnerability, the report goes in “company processing” status.
6 – Resolved
After the company is aware of the vulnerability, we will try to stay in touch and get confirmation when is been fixed. If that happens, the report goes in “resolved” status and the company has the option to reward the reporter hacker via OpenCIRT.
7 – Closed
If the company decides to not fix the vulnerability or becomes unresponsive, the report will go in “closed” state with the appropriate reason.
If the vulnerability is highly impactful, we may decide to escalate the report to the appropriate authorities or the national CIRT.
Together, we can make the internet safer.