Assign Treatments | Fluid Attacks Help

Assign Treatments

A Treatment represents the business decision that you make concerning a vulnerability. This choice focuses on how to approach or remediate the vulnerability. In this section, we will guide you on how to apply different Treatments handled in our platform.

Define a Treatment for a vulnerability

Role requirement infoRole required: Vulnerability Manager or User Manager

To set up a Treatment, you can do it from the Locations section using the Edit function or also from the To do section. The following will explain how to do it from the Edit function.

First, you must select the vulnerability you would like to validate. Doing so will direct you to the Locations section. Next, you must choose the vulnerability you want to treat by clicking on the checkbox to its left and clicking on Edit.

Vulnerability Assign

After clicking on it, a pop-up window will appear in which you can apply a Treatment and justify it. Clicking on the Treatment drop-down will display the available Treatment options.

Treatment options

Below, we will proceed to explain each Treatment.

  • Untreated: Represents the initial state of the vulnerability, meaning that the vulnerability has yet to be assigned to any responsible party or received any specific Treatment.

  • In progress: With this Treatment, you acknowledge the existence of the vulnerability and assign it to a member with the User role. This assignment is located in the To do, where the user can be aware of all the vulnerabilities they are responsible for remediating in their daily work.

  • Temporarily accepted: This Treatment is used when you do not intend to remediate the vulnerability, at least for a certain period. You accept the risks that come with it up to a specific date. When this time is over, you are in charge of defining the Treatment once again.

  • Permanently accepted: As with the previous Treatment, this is used when you don't intend to remediate the vulnerability, but this time you accept the risks that come with it permanently.

  • Zero risk: This is a special Treatment that you can define for a vulnerability which, according to your organization’s analysis, poses no threat. We will then analyze whether that is the case. If so, the vulnerability will be removed from the list. Otherwise, it will remain reported. You can get more information about this Treatment under this link.

Once you have selected the Treatment you want to apply, it will enable additional fields. Note that the field will vary according to the Treatment selected. Below, we will proceed to explain them:

  • Assigned: The member responsible for solving the vulnerability.

  • Treatment justification: Here you must state the reasons for requesting this Treatment for the selected vulnerability.

  • Tags: You can assign one or more labels to the vulnerability to make it easier to manage and find them.

  • External BTS: The Bug Tracking System (BTS) is a platform for issues management and tasks tracking that is internal for each client. In this field, you can provide the URL of the issue concerning this vulnerability.

  • Level: You can use this field to assign a level of priority when remediating vulnerabilities. It can be a number between 0 and 1,000,000,000 that represents the severity of the vulnerability for the business. It can also be a monetary value.

  • Temporarily accepted until: This input field will be enabled when applying the Temporarily accepted Treatment. You must enter the date until you will maintain this Treatment. Make sure that this date is consistent with the policy Maximum number of calendar days a finding can be temporarily accepted.

User role capabilities
The User role can define the Temporarily accepted, In progress and Zero risk Treatments. They can also suggest treating a vulnerability as Permanently accepted, but the only roles that can approve it are either the User Manager or the Vulnerability Manager.

Once you have applied the Treatment to the vulnerability and completed all the necessary fields, when you click on the Confirm button, a confirmation pop-up window will appear to validate the application of that Treatment.

Confirmation

Clicking on confirm the vulnerability will enter a Submitted status, waiting for the Treatment to be approved or rejected. Remember that the roles to do this action are User Manager or Vulnerability Manager.

Submitted status

Assign fix work to members

Role requirement info
Role required: Vulnerability Manager or User Manager
Note about User role
Members with the User role can assign fix work to themselves.
In our platform, we offer the functionality to assign vulnerabilities to members of the work team, ensuring an efficient distribution for addressing and resolving reported vulnerabilities within the projects.

To begin, go to the Vulnerabilities section and choose the vulnerability type you want to treat.

Vulnerability type

Selecting this will take you to the Location section where you need to select the vulnerability you want to assign.

Selected location

When you select it, a pop-up details window will open; you should go to the Treatments tab.

Treatment tab

When you are already in this tab, you must go to the Treatment field. You have to change the status from Untreated to In progress, enabling some fields to be completed. One is Assigned, where you must enter the User's email address here (that is the person who will be responsible for fixing the code or configuration).

Assigned field

The other fields are described above in the present article.

Note on vulnerability assignmentNote: You can assign vulnerabilities in Untreated status or reassign vulnerabilities in Progress status. Also, you can assign a person even if you have previously applied the Temporarily accepted or Permanently accepted Treatments. In addition it's important to note that the User Manager and Vulnerability Manager roles can assign vulnerabilities to any member of the group.

Right away, the new person responsible for fixing the vulnerability will receive an email notification telling them about the new assignment, specifying the type of vulnerability, the group and the location. Clicking the Go to type of vulnerability button will redirect them to the Location section on Fluid Attacks' platform.

Assigned notification

Note on vulnerability assignment between staffNote: Only a Fluid Attacks staff member can assign a vulnerability to fellow Fluid Attacks members. In either case, the Assigned dropdown list will show only valid options for the assignment.

Now, if you want to change the responsible for a vulnerability, it is possible. In the Assigned field, you have to put the email of the new responsible; this person will receive the notification Vulnerability assignment.

The person who was assigned the task will be able to find the aforementioned To do function on the top-right menu of the platform, next to the megaphone icon. The number over the icon will tell them how many vulnerabilities are assigned to them. Clicking on the icon will allow them to see the vulnerability locations they are responsible for remediating.

Approve or reject vulnerability acceptance Treatments

Role requirement info
Role required: Vulnerability Manager or User Manager
You will receive a notification Treatment Alert, announcing the request for acceptance of the Treatment application. You have a maximum of 5 days to respond to this request; if no response is received, the vulnerability enters the Untreated status.

Notification

Select the vulnerability and click the Treatment acceptance button to respond to this request.

Treatment acceptance

A pop-up Observations window will appear, where the User Manager or the Vulnerability Manager must provide their observation concerning the requested Treatment and decide whether they approve or reject it.

Observations

If the treatment is approved, the vulnerability status will immediately change to Temporarily accepted or Permanently accepted, depending on the case. Otherwise, the status will appear as In progress or Untreated.

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.