Assign Treatments
A Treatment represents the business decision that you make concerning a vulnerability. This choice focuses on how to approach or remediate the vulnerability. In this section, we will guide you on how to apply different Treatments handled in our platform.
Define a Treatment for a vulnerability
Role required: Vulnerability Manager or User ManagerFirst, you must select the vulnerability you would like to validate. Doing so will direct you to the Locations section. Next, you must choose the vulnerability you want to treat by clicking on the checkbox to its left and clicking on Edit.
After clicking on it, a pop-up window will appear in which you can apply a Treatment and justify it. Clicking on the Treatment drop-down will display the available Treatment options.
Below, we will proceed to explain each Treatment.
-
Untreated: Represents the initial state of the vulnerability, meaning that the vulnerability has yet to be assigned to any responsible party or received any specific Treatment.
-
In progress: With this Treatment, you acknowledge the existence of the vulnerability and assign it to a member with the User role. This assignment is located in the To do, where the user can be aware of all the vulnerabilities they are responsible for remediating in their daily work.
-
Temporarily accepted: This Treatment is used when you do not intend to remediate the vulnerability, at least for a certain period. You accept the risks that come with it up to a specific date. When this time is over, you are in charge of defining the Treatment once again.
-
Permanently accepted: As with the previous Treatment, this is used when you don't intend to remediate the vulnerability, but this time you accept the risks that come with it permanently.
-
Zero risk: This is a special Treatment that you can define for a vulnerability which, according to your organization’s analysis, poses no threat. We will then analyze whether that is the case. If so, the vulnerability will be removed from the list. Otherwise, it will remain reported. You can get more information about this Treatment under this link.
Once you have selected the Treatment you want to apply, it will enable additional fields. Note that the field will vary according to the Treatment selected. Below, we will proceed to explain them:
-
Assigned: The member responsible for solving the vulnerability.
-
Treatment justification: Here you must state the reasons for requesting this Treatment for the selected vulnerability.
-
Tags: You can assign one or more labels to the vulnerability to make it easier to manage and find them.
-
External BTS: The Bug Tracking System (BTS) is a platform for issues management and tasks tracking that is internal for each client. In this field, you can provide the URL of the issue concerning this vulnerability.
-
Level: You can use this field to assign a level of priority when remediating vulnerabilities. It can be a number between 0 and 1,000,000,000 that represents the severity of the vulnerability for the business. It can also be a monetary value.
-
Temporarily accepted until: This input field will be enabled when applying the Temporarily accepted Treatment. You must enter the date until you will maintain this Treatment. Make sure that this date is consistent with the policy Maximum number of calendar days a finding can be temporarily accepted.
Once you have applied the Treatment to the vulnerability and completed all the necessary fields, when you click on the Confirm button, a confirmation pop-up window will appear to validate the application of that Treatment.
Assign fix work to members
To begin, go to the Vulnerabilities section and choose the vulnerability type you want to treat.
Selecting this will take you to the Location section where you need to select the vulnerability you want to assign.
When you select it, a pop-up details window will open; you should go to the Treatments tab.
When you are already in this tab, you must go to the Treatment field. You have to change the status from Untreated to In progress, enabling some fields to be completed. One is Assigned, where you must enter the User's email address here (that is the person who will be responsible for fixing the code or configuration).
The other fields are described above in the present article.
Note: You can assign vulnerabilities in Untreated status or reassign vulnerabilities in Progress status. Also, you can assign a person even if you have previously applied the Temporarily accepted or Permanently accepted Treatments. In addition it's important to note that the User Manager and Vulnerability Manager roles can assign vulnerabilities to any member of the group.Right away, the new person responsible for fixing the vulnerability will receive an email notification telling them about the new assignment, specifying the type of vulnerability, the group and the location. Clicking the Go to type of vulnerability button will redirect them to the Location section on Fluid Attacks' platform.
Note: Only a Fluid Attacks staff member can assign a vulnerability to fellow Fluid Attacks members. In either case, the Assigned dropdown list will show only valid options for the assignment.Now, if you want to change the responsible for a vulnerability, it is possible. In the Assigned field, you have to put the email of the new responsible; this person will receive the notification Vulnerability assignment.
Approve or reject vulnerability acceptance Treatments
Select the vulnerability and click the Treatment acceptance button to respond to this request.
A pop-up Observations window will appear, where the User Manager or the Vulnerability Manager must provide their observation concerning the requested Treatment and decide whether they approve or reject it.
If the treatment is approved, the vulnerability status will immediately change to Temporarily accepted or Permanently accepted, depending on the case. Otherwise, the status will appear as In progress or Untreated.
