Report States

All reports can be changed to a variety of different states

Updated over a week ago

All reports are either Open or Closed and can be changed to a variety of different states.

Open Report States

When reports haven't been acted on or resolved, they are in an open state. These are the Open report states:




The report is pending validation.

Pending Program Review

The report has been initially validated by HackerOne triage; it is now pending further review and severity validation from the customer team. The final report state and severity are still subject to change.

Note: This report state is only applicable for programs that use HackerOne's triage services.


The report has been validated and escalated for internal remediation. The customer team will implement a fix based on severity/priority. The vulnerability should be considered a live and reproducible vulnerability whilst in this state

In rare cases, a triaged bug may be marked as duplicate or informative after further review.


The vulnerability is in the process of being retested. This is a valid bug that has been remediated and is pending verification of remediation by the researcher.

This report might revert back to the triaged status if the fix is not confirmed, or might be moved to resolved after confirming the fix.

Needs More Info

More information is needed from the hacker to reproduce the vulnerability or demonstrate impact. Reports that are in the Needs More Info state for more than 30 days will automatically close as informative and won't hurt the hacker's reputation.

There are impacts to hacker reputation when the program changes the report state. Reputation isn't impacted when the hacker changes the report state themselves. They can self-close a report until it's marked as triaged.

Closed Report States

When a report is complete, and no further dialogue with the team, triager, or hacker is needed, it's changed into a closed state. Closed states change a hacker's reputation.

These are the Closed report states:



Change to Hacker Reputation


The vulnerability has been resolved and no further action is required. The vulnerability should be considered resolved and no longer reproducible whilst in this state.

Any regression or bypass of the fix is to be submitted as a new report and reference it is a bypass or regression of report #.

Increase +7


The report contains valid information, but the information provided doesn't require any action. This state is often used for out-of-scope submissions or submissions against known issues that are disclosed in the program policy, but it's also often used to imply accepted risk.

No change


This issue has already been reported or is otherwise previously known by the customer team. This state can also be used when a single fix/deployment resolves multiple submissions (due to a singular underlying issue). To learn more about how duplicates affect reputation, read this article.

HackerOne encourages customers to attribute duplicate issues to the original submissions or otherwise include details about its original discovery.

If the hacker submits the original report:
Resolved: +2

Not Applicable: -5

Informative: 0

Not Applicable

The report doesn't contain a valid reproducible issue and security implication has not been demonstrated. Security teams should describe why the report was invalid, so the hacker can improve their hacking skills.

N/A will also result in a loss of reputation points and affect the signal of the hacker.

Decrease -5


The report is invalid because a legitimate security vulnerability isn't described. The report may be incomprehensible, abusive, and/or exhibit harassment. Reports selling any product or service will also be marked as Spam.

Decrease -10

Did this answer your question?