Vulnerability Status

Vulnerability status may be Open, Closed, Accepted, Out of Scope, Mitigated, or Invalid.

Status	Description
Open	An open vulnerability has been identified but has not been remediated (closed), accepted, mitigated, or marked as invalid.
Closed	A closed vulnerability was identified at one point but retesting did not find that the vulnerability was still exploitable.
Accepted	An accepted vulnerability is one where the customer acknowledges the behavior we’ve described, but considers the finding not actionable for some reason: it’s considered an acceptable business risk. Typical use cases include reasonable mitigations being in place, the cost of remediation exceeding the risk, or the vulnerability existing in a third-party component the customer can’t change.
Out of Scope	A vulnerability may be Out of Scope if it was associated with a hostname that has been removed from the asset in the Continuous Dynamic Portal. Changes to Scan Rules can also make a vulnerability Out of Scope.
Mitigated	This is a legacy status. It described vulnerabilities where updates to WAF rules mitigated a problem without a fix to the underlying code.
Invalid	A vulnerability may, rarely, be labeled "invalid" if it was opened by human error or if it was a duplicate of an existing vulnerability. Invalid vulnerabilities are not security issues, though if an invalid vuln is a duplicate of a valid vuln, that valid vuln is still an issue.

Status

Description

Open

An open vulnerability has been identified but has not been remediated (closed), accepted, mitigated, or marked as invalid.

Closed

A closed vulnerability was identified at one point but retesting did not find that the vulnerability was still exploitable.

Accepted

An accepted vulnerability is one where the customer acknowledges the behavior we’ve described, but considers the finding not actionable for some reason: it’s considered an acceptable business risk. Typical use cases include reasonable mitigations being in place, the cost of remediation exceeding the risk, or the vulnerability existing in a third-party component the customer can’t change.

Out of Scope

A vulnerability may be Out of Scope if it was associated with a hostname that has been removed from the asset in the Continuous Dynamic Portal. Changes to Scan Rules can also make a vulnerability Out of Scope.

Mitigated

This is a legacy status. It described vulnerabilities where updates to WAF rules mitigated a problem without a fix to the underlying code.

Invalid

A vulnerability may, rarely, be labeled "invalid" if it was opened by human error or if it was a duplicate of an existing vulnerability. Invalid vulnerabilities are not security issues, though if an invalid vuln is a duplicate of a valid vuln, that valid vuln is still an issue.