Open Report States
When reports haven't been acted on or resolved, they are in an open state. These are the Open report states:
State | Detail |
New | The report is pending validation. |
Pending Program Review | The report was initially validated by HackerOne triage; it is now pending further review and severity validation by the customer team. The final report state and severity are still subject to change.
Note: This report state is only applicable for programs that use HackerOne's triage services. |
Triaged | The report has been validated and escalated for internal remediation. The customer team will implement a fix based on severity/priority. The vulnerability should be considered a live and reproducible vulnerability whilst in this state
In rare cases, a triaged bug may be marked as duplicate or informative after further review. |
Retesting | The vulnerability is being retested. This is a valid bug that has been remediated and is pending verification of remediation by the researcher.
This report might revert to the triaged status if the fix is not confirmed or be moved to resolved after confirming the fix. |
Needs More Info | More information is needed from the hacker to reproduce the vulnerability or demonstrate impact. Reports that are in the Needs More Info state for more than 30 days will automatically close as informative and won't hurt the hacker's reputation. |
There are impacts to hacker reputation when the program changes the report state. Reputation isn't impacted when the hacker changes the report state themselves. They can self-close a report until it's marked as triaged.
Closed Report States
When a report is complete, and no further dialogue with the team, triager, or hacker is needed, it's changed into a closed state. Closed states change a hacker's reputation.
These are the Closed report states:
State | Detail | Change to Hacker Reputation |
Resolved | The vulnerability has been resolved and no further action is required. It should be considered resolved and no longer reproducible whilst in this state.
Any regression or bypass of the fix must be submitted as a new report and referenced as a bypass or regression of report #. | Increase +7 |
Informative | The report contains valid information, but the information provided doesn't require action. This state is often used for out-of-scope submissions or submissions against known issues disclosed on the program's security page, but it's also often used to imply accepted risk. | No change |
Duplicate | This issue has already been reported or is otherwise previously known by the customer team. This state can also be used when a single fix/deployment resolves multiple submissions (due to a singular underlying issue). To learn more about how duplicates affect reputation, read this article.
HackerOne encourages customers to attribute duplicate issues to the original submissions or otherwise include details about its original discovery. | If the hacker submits the original report: |
Not Applicable | The report doesn't contain a valid reproducible issue, and the security implications have not been demonstrated. Security teams should describe why the report was invalid so the hackers can improve their hacking skills.
N/A will also result in a loss of reputation points and affect the signal of the hacker. | Decrease -5 |
Spam | The report is invalid because it does not describe a legitimate security vulnerability. It may also be incomprehensible, abusive, and/or harassing. Reports selling any product or service will also be marked as Spam. | Decrease -10 |