Substates are a representation of the current status of a submission at any particular time. They change throughout the triage process, depending on the impact and report structure.
When you create a submission, its status will always be “New.” Once an assigned Application Security Engineer has reviewed the submission, the substate will be updated.
There are three categories of statuses: open, accepted, and rejected. Within each category are the following substates:
Open
| Substate | Is a Valid Submission? | Description |
|---|---|---|
| New | N/A | A submission that has not been reviewed or assigned a status. |
| Triaged | N/A | A submission that may be valid, but needs to be reviewed again and validated. |
Accepted
| Substate | Is a Valid Submission? | Description |
|---|---|---|
| Unresolved | Valid | A valid submission that needs to be fixed by the Program Owners. |
| Resolved | Valid | A valid submission that has been fixed by the Program Owners. |
Rejected
| Substate | Is a Valid Submission? | Description |
|---|---|---|
| Out of Scope | Invalid | A submission which is rejected because it is not in scope with the criteria outlined in the bounty brief. |
| Not Reproducible | Invalid | A submission which is rejected because the vulnerability cannot be reproduced based on the information given. |
| Informational | Valid | A submission that is rejected because it is seen as an accepted business risk, does not impact the organization, or users of the target. |
| Not Applicable | N/A | A submission that does not apply to the target or application. |
