State

Detail

New

The report is in an unread state.

Pending Program Review

(Currently in beta) The report has been reviewed by HackerOne triage and is now pending review from the program. This only shows for programs that use HackerOne's triage services.

Triaged

The report is evaluated but hasn't been resolved. It is in the state of being fixed.

Retesting

The vulnerability is in the process of being retested.

Needs More Info

More information is needed from the hacker about the vulnerability. Reports in the Needs More Info state for more than 30 days will automatically close and won't hurt the hacker's reputation.

State

Detail

Change to Hacker Reputation

Resolved

The report is valid and no further dialogue with the hacker is needed.

Increase +7

Informative

The report contains useful information but doesn't warrant immediate action or a fix. Examples of informative reports include:

A program can consider providing an alternative risk assessment or other mitigating factors. Public disclosure is available with mutual agreement.

No change

Duplicate

This issue has already been reported. Programs can build trust by attributing the issue to its original discoverer and linking it to a previous report or including other details about its discovery. Public disclosure isn't available for this state.
​
​Note: If a hacker files a duplicate of a public report, their reputation will go down.

If the hacker submits the original report:
​Resolved: +2
​
​
​Not Applicable: -5
​
​Informative: 0

Not Applicable

The report doesn't contain a valid issue and has no security implications. Security teams should describe why the report was invalid, so the hacker can improve their hacking skills.

Decrease -5

Spam

The report is invalid because a legitimate security vulnerability isn't described. The report may be incomprehensible, abusive, and/or exhibit harassment. Reports that sell any sort of product or service will also be marked as Spam.

Decrease -10