Vulnerability Status
Vulnerability status may be Open, Closed, Accepted, Out of Scope, Mitigated, or Invalid.
Status | Description |
---|---|
An open vulnerability has been identified but has not been remediated (closed), accepted, mitigated, or marked as invalid. |
|
A closed vulnerability was identified at one point but retesting did not find that the vulnerability was still exploitable. |
|
An accepted vulnerability is one where the customer acknowledges the behavior we’ve described, but considers the finding not actionable for some reason: it’s considered an acceptable business risk. Typical use cases include reasonable mitigations being in place, the cost of remediation exceeding the risk, or the vulnerability existing in a third-party component the customer can’t change. |
|
A vulnerability may be Out of Scope if it was associated with a hostname that has been removed from the asset in the WhiteHat Portal. Changes to Scan Rules can also make a vulnerability Out of Scope. |
|
This is a legacy status. It described vulnerabilities where updates to WAF rules mitigated a problem without a fix to the underlying code. |
|
A vulnerability may, rarely, be labeled "invalid" if it was opened by human error or if it was a duplicate of an existing vulnerability. Invalid vulnerabilities are not security issues, though if an invalid vuln is a duplicate of a valid vuln, that valid vuln is still an issue. |