Understanding Substates

Substates are a representation of the current status of a submission at any particular time. They change throughout the triage process, depending on the impact and report structure.

When you create a submission, its status will always be “New.” Once an assigned Application Security Engineer has reviewed the submission, the substate will be updated.

There are three categories of statuses: open, accepted, and rejected. Within each category are the following substates:

Open

Substate Is a Valid Submission? Description
New N/A A submission that has not been reviewed or assigned a status.
Triaged N/A A submission that may be valid, but needs to be reviewed again and validated.

Accepted

Substate Is a Valid Submission? Description
Unresolved Valid A valid submission that needs to be fixed by the Program Owners.
Resolved Valid A valid submission that has been fixed by the Program Owners.

Rejected

Substate Is a Valid Submission? Description
Out of Scope Invalid A submission which is rejected because it is not in scope with the criteria outlined in the bounty brief.
Not Reproducible Invalid A submission which is rejected because the vulnerability cannot be reproduced based on the information given.
Won’t Fix Valid A submission that is rejected because it is seen as an accepted business risk, does not impact the organization, or users of the target.
Not Applicable N/A A submission that does not apply to the target or application.

Account Management
Program Management
Submission Management
Receiving Rewards