How to report false negatives | Fluid Attacks Help

How to report false negatives

Info on required plan
Plan required: Advanced

In the course of Continuous Hacking Advanced, you might find a vulnerability that Fluid Attacks did not flag; this would be a false negative. To ensure a thorough investigation and swift resolution of any false negative, both parties shall adhere to the following protocol:
  1. Report the potential false negative over any of the available communication channels.
  2. Fluid Attacks shall assess the level of urgency in your report, that is, whether or not active exploitation of the vulnerability is identified; if so, Fluid Attacks shall prioritize helping you contain the incident.
  3. Fluid Attacks shall give you the potential leak form.
  4. Fill out the form and send it to Fluid Attacks.
  5. Fluid Attacks shall investigate the potential false negative as follows:
    1. Fluid Attacks assigns a security analyst to thoroughly investigate the report.
    2. The analyst attempts to reproduce the vulnerability in a controlled environment. If reproducible, the analyst attempts to map the vulnerability to the codebase and identify the commit that introduced the vulnerability and the date it was merged into the evaluated branch, and determines if the vulnerability constitutes a "leak" based on the following criteria:
      1. It is not a leak if Fluid Attacks was not in possession of the source code.
      2. It is not a leak if the vulnerability predates the addition of the repository to Fluid Attacks' testing and no Health Check was performed.
      3. It is not a leak if blocking events prevented testing the affected area.
      4. It is not a leak if the vulnerability's Status changed from 'Vulnerable' to 'Safe' due to exclusions, deactivations, or removals.
      5. It is a leak if Fluid Attacks had access to the code and the vulnerability was present during the testing period, but Fluid Attacks did not identify it.
  6. Fluid Attacks communicates the investigation results.