To help reduce the number of duplicate submissions you receive, you can share information about the known issues that have already been reported. By sharing this information, you provide better visibility into your program so that researchers can focus their efforts on finding unique vulnerabilities and exploring other potential attack vectors for your targets.
This level of transparency has a couple of key benefits:
- Increases efficiency: Visibility into previously found vulnerabilities provides researchers insights to better focus their testing efforts so that they can submit more unique issues and fewer duplicates.
- Increases testing activity: Programs that share previously found vulnerabilities are seen as more appealing to researchers because they are more likely to be the first to find unique vulnerabilities and be rewarded.
Shared known issues appear on the program brief, are grouped by target, and categorized by VRT classification. Any issue with a status of triaged, unresolved, or duplicate will be visible to the researcher. Researchers can drill down into known issues by VRT classification.
By default, the option to share known issues is not enabled. To enable known issue sharing, go to your Program Settings.
From the "Program Brief" tab, find the "Known Issues" section. Select the Display known issues count on program brief option. All P1-P4 issues classified as triaged, unresolved, won't fix, or duplicate will be shared.
Update your program brief to apply the changes. When the researcher views the brief, they'll be able to see the issues under the "Targets" area.
The following is a breakdown of what will be viewable by researchers in the program brief:
Each scoped target will have a target breakdown of unique known issues as seen below.
For further insights on known issues for a specific target select the details icon as seen below.
Upon clicking the details icon, a pop-up window will appear. This window will provide a breakdown of known issues on a specific target by specific VRT (Vulnerability Rating Taxonomy) categories.
NOTE: Unique vs. Total
The details pop-up window is broken up into two columns, unique and total. The unique column represents the total number first to find submission, or triaged, unresolved, and won't fix findings. The total column represents the total number of first to find submission plus all duplicate findings.