Vulnerability Status Migration Logic 3.X
ThreadFix provides statuses vulnerabilities can be marked as: False Positive, Security Verified, and Developer Contested. ThreadFix provides a model where developers are only allowed to contest vulnerabilities and security teams are responsible for verifying the contested item. The provided statuses are intended to facilitate communication between the developers and the security team. ThreadFix recommends the following:
Developers should only possess the permissions to set and unset the Developer Contested status to signal the security team that verification is needed
Once the security team has verified whether a vulnerability is true or false, they alone should possess the permissions to mark a vulnerability as Security Verified or False Positive
Vulnerability Status Migration Logic | |||
A Vulnerability marked | Will be marked | Used by | Description |
---|---|---|---|
False Positive and any values for Scanner Exploitable*, Security Verified, or Developer Contested | False Positive only | Security Team | Security has verified this vulnerability is a false positive. |
Security Verified, and any values for Scanner Exploitable*, or Developer Contested | Security Verified only | Security Team | Security has verified this vulnerability is a true positive. |
Developer Contested and any value for Scanner Exploitable* | Developer Contested only | Developers | Suspected false positive. Security team, please verify. |
*The Scanner Exploitable status is not marked by users, it is set by certain scanners when the data is ingested into ThreadFix. Please see the Finding Statuses and Severity Logic page for more details.
Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.