False negatives | Fluid Attacks Help

False negatives

Definition of false negatives

A false negative is an erroneous report indicating that a vulnerability does not exist or is absent. Specifically, Fluid Attacks considers false negatives as instances when it fails to report a vulnerability that was within the scope of its tests, and all the necessary inputs to reproduce this vulnerability were available. False negatives are a serious problem in software development projects, as overlooked issues may be involved in leaks or successful cyberattacks.

Report false negatives

Info on required plan
Plan required: Advanced

Fluid Attacks' Continuous Hacking offers very low rates of false negatives, as it tests systems comprehensively with multiple techniques. Accordingly, it includes high accuracy levels in its service-level agreement (SLA). However, in the course of Continuous Hacking Advanced, your organization might find a vulnerability that Fluid Attacks did not flag. For the accuracy SLA to apply, your false negative request most satisfy several criteria (refer to the items in 5.b. below). To ensure a thorough investigation and swift resolution of any false negative, both parties shall adhere to the following protocol:
  1. Report the potential false negative over any of the available communication channels.
  2. Fluid Attacks shall assess the level of urgency in your report, that is, whether or not active exploitation of the vulnerability is identified; if so, Fluid Attacks shall prioritize helping you contain the incident.
  3. Fluid Attacks shall give you the potential leak form.
  4. Fill out the form and send it to Fluid Attacks.
  5. Fluid Attacks shall investigate the potential false negative as follows:
    1. Fluid Attacks assigns a security analyst to thoroughly investigate the report.
    2. The analyst attempts to reproduce the vulnerability in a controlled environment. If reproducible, the analyst attempts to map the vulnerability to the codebase and identify the commit that introduced the vulnerability and the date it was merged into the evaluated branch, and determines if the vulnerability constitutes a "leak" based on the following criteria:
      1. It is not a leak if Fluid Attacks was not in possession of the source code.
      2. It is not a leak if the vulnerability predates the addition of the repository to Fluid Attacks' testing and no Health Check was performed.
      3. It is not a leak if blocking events prevented testing the affected area for more than 20% of business days.
      4. It is not a leak if the vulnerability's Status changed from 'Vulnerable' to 'Safe' due to exclusions, deactivations, or removals.
      5. It is a leak if Fluid Attacks had access to the code and the vulnerability was present during the testing period, but Fluid Attacks did not identify it.
  6. Fluid Attacks communicates the investigation results.