All reports are either Open or Closed and can be changed to a variety of different states.
When reports haven't been acted on or resolved, they are in an open state. These are the Open report states:
|Pre-submission||This report state is only applicable when Human-Augmented Signal is enabled for the program. The report starts in the pre-submission state when it has been flagged as potentially invalid. A HackerOne security analyst will first review the report before it's sent to the program.|
|New||The report is in an unread state.|
|Pending Program Review||(Currently in beta) The report has been reviewed by HackerOne triage and is now pending review from the program. This only shows for programs that use HackerOne's triage services.|
|Triaged||The report is evaluated but hasn't been resolved. It is in the state of being fixed.|
|Retesting||The vulnerability is in the process of being retested.|
|Needs More Info||More information is needed from the hacker about the vulnerability. Reports that are in the Needs More Info state for more than 30 days will automatically close and won't have a negative impact on the hacker's reputation.|
There are impacts to hacker reputation when the program changes the report state. Reputation isn't impacted when the hacker changes the report state themselves. They can self-close a report until it's marked as triaged.
When a report is complete, and no further dialogue with the team, triager, or hacker is needed, it's changed into a closed state. Closed states change a hacker's reputation.
These are the Closed report states:
|State||Detail||Change to Hacker Reputation|
|Resolved||The report is valid and no further dialogue with the hacker is needed.||Increase +7|
|Informative||The report contains useful information but doesn't warrant immediate action or a fix. Examples of informative reports include:
|Duplicate||This issue has already been reported. Programs can build trust by attributing the issue to its original discoverer and linking it to a previous report or including other details about its discovery. Public disclosure isn't available for this state.
Note: If a hacker files a duplicate of a public report, their reputation will go down.
|If the hacker submits the original report:
Not Applicable: -5
|Not Applicable||The report doesn't contain a valid issue and has no security implications. Security teams should describe why the report was invalid, so the hacker can improve their hacking skills.||Decrease -5|
|Spam||The report is invalid because a legitimate security vulnerability isn't described. The report may be incomprehensible, abusive and/or exhibit harassment. Reports that sell any sort of product or service will also be marked as Spam.||Decrease -10|