Accept vulnerabilities

The Acceptance section in Policies shows the types of vulnerabilities that your team has requested be permanently and temporarily accepted. Accepting vulnerabilities means acknowledging and tolerating their associated risks. The policies approved here apply to reports across all the groups within your organization.

Accepted vulnerabilities are ignored by Fluid Attacks's CI Agent during build checks. You assume the risk associated with allowing these vulnerabilities into production.

Accept vulnerabilities permanently

The first table in Acceptance lists the types of vulnerabilities your team has suggested for permanent acceptance, as well as the request status ('Approved', 'Rejected', 'Requested', or 'Inactive'), the request date, and any tags for classification added by the person who made it. Organization Managers can see in the Action column with the options to manage permanent acceptance.

View permanent acceptance policies on the Fluid Attacks platform

Submit a vulnerability type to accept

Role required: User or Organization Manager

Any team member can make the approval request, but only Organization Managers can approve or reject it. To add a vulnerability type, follow these steps:

Click on the Add vulnerability type button. This makes a pop-up window appear for you to select the type of vulnerability you want to submit for acceptance.

Submit permanent acceptance policy on the Fluid Attacks platform

In case the request has already been made, it is displayed as unavailable, and you are informed of the request status.

See unavailable request on the Fluid Attacks platform

Optionally, add one or more tags for classification.

Click on the Request button to submit the request.

Accept vulnerability permanently on the Fluid Attacks platform

Upon clicking the Request button, the type of vulnerability appears in the table with 'Requested' in the Status column.

If you have the Organization Manager role, your submission is automatically approved.

Approve and reject acceptance requests

Role required: Organization Manager

The Action column presents you with options to manage acceptance requests. Those in the 'Requested' status show you the Pending approval button. Manage them as follows:

Approve: You approve the request, causing that every vulnerability that matches the type, or type-tag combination, is accepted with no additional approvals needed. This changes the request status from 'Requested' to 'Approved'.
Reject: Your reject the request. This changes its status to 'Rejected'.

Approve and reject acceptance requests on the Fluid Attacks platform

Reactivate and deactivate acceptance policy

Role required: Organization Manager

For requests whose status is 'Approved', 'Rejected' and 'Inactive', the Action column presents you with the Manage button. Manage these requests as follows:

Click on Request to reactivate acceptance.

You have to confirm the action. Doing so changes the policy status from 'Rejected' or 'Inactive' to 'Approved'.
Click on Deactivate to stop accepting the type of vulnerability.

Upon clicking the button, a pop-up window appears asking for confirmation. By clicking on Confirm, this policy's status changes from 'Approved' to 'Inactive'.

Add tags to classify vulnerabilities for acceptance

Role required: User or Organization Manager

When submitting a type of vulnerability in Acceptance, you can add one or more tags to classify it. These tags are meant to help you find information fast in future searches and allow you to do analyses using categories that your team finds meaningful. For the latter, Fluid Attacks offers the analytics Tags by groups and Findings by tags.

Accept vulnerabilities temporarily

Role requirements for submitting, approving, rejecting, deactivating and reactivating types are the same as for permanent acceptance of vulnerabilities. See details above.

The second table in Acceptance shows the types of vulnerabilities your team has suggested for temporary acceptance, as well as the corresponding request status, date and tags. Additionally, Organization Managers are offered multiple options to manage requests.

View temporary acceptance policies on the Fluid Attacks platform

A temporary acceptance policy can be created for an individual type of vulnerability or all types:

To submit a request for one type, click on Add vulnerability type, select the type of vulnerability and click the Request button. You can optionally add tags. Bear in mind that you can only choose among the types for which a request has not been made.

Advice on accepting multiple vulnerabilities

In this window you may select more than one type. Once you select at least one, you are told how many types are included in your request.

Upon clicking Request, the policy appears in the table with the 'Requested' status. Only a member with the Organization Manager role can approve or reject it.

See submitted temporary acceptance policies on the Fluid Attacks platform

To submit a request for all types, select All vulnerability types after clicking on the Vulnerability type field, then add tags (optional) and click on the plus button.

By creating this policy, you acknowledge and temporarily tolerate the risks of all types of vulnerabilities detected in your system.

Request temporary acceptance of all vulnerabilities on the Fluid Attacks platform

Note: Submissions by Organization Managers are automatically approved.

Members with the Organization Manager role can manage temporary acceptance from the Action column as follows:

Pending approval > Approve to start accepting the vulnerability type
Pending approval > Reject to disallow acceptance of the vulnerability type
Manage > Request to activate acceptance of the vulnerability type
Manage > Deactivate to stop accepting the vulnerability type

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.