See where vulnerabilities are and more details | Fluid Attacks Help

See where vulnerabilities are and more details

See the list of vulnerabilities detected

Role requirement info
Role required: User, Vulnerability Manager or User Manager
The Vulnerabilities section is the first one you see when accessing a group. It provides an overview of all detected types of vulnerabilities.

View reported types of vulnerabilities on the Fluid Attacks platform

Advice on seeing vulnerabilitiesHover over the Vulnerabilities tab to instantly see the total number of vulnerabilities awaiting remediation in the group.
Note on type of vulnerability
Note: A type of vulnerability is a category following Fluid Attacks' classification, whereas a vulnerability is a specific instance of that type found in your software.

Know your Vulnerabilities table

Role requirement info
Role required: User, Vulnerability Manager or User Manager

The Vulnerabilities table offers details about the types of vulnerabilities identified in your group.

Understand the Vulnerabilities table on the Fluid Attacks platform

The following are short descriptions of what you find for each column:
  1. Type: The standardized type of vulnerability best matching the characteristics of the vulnerability in your system
  2. Status: Indicates the condition of the group regarding this type of vulnerability, where it is Vulnerable if the type is present or Safe if the type has been remediated
  3. Priority score: The share corresponding to the type of vulnerability out of the total priority units accumulated by a group, where priority units comprise (a) the quantitative value corresponding to the qualitative assessment you or your team made of the affected root regarding how critical it is to your software development project; (b) your organization's prioritization policies based on testing technique that found the vulnerability, attack vector, and vulnerability exploitability; (c) the Priority set for individual vulnerabilities when assigned a treatment; and (d) a default score calculated using the Common Vulnerability Scoring System (CVSS) as follows:  (4^(CVSS-4)) / 4.096
  4. Open vulns: The count of locations in your system where this vulnerability type is still present
  5. Severity Overview: The number of detected vulnerabilities of each CVSS qualitative severity rating, which groups scores as follows:
    • Low (0.1 - 3.9)
    • Medium (4.0 - 6.9)
    • High (7.0 - 8.9)
    • Critical (9.0 - 10.0)
  6. Last report: Days since the last vulnerability of this type was found (regardless of the current Status)
  7. Remediation: Percentage of reported vulnerabilities of this type remediated by your team
  8. Age: Days since this vulnerability type was first detected in your system
  9. Reattack: Status of reattacks for this type of vulnerability (Pending if a reattack is due, - otherwise)
  10. Release date: Date when the type of vulnerability was first reported in your system
  11. Treatment: The number of vulnerabilities per assigned treatment
  12. Description: A definition of the type of vulnerability
Advice on hiding columns
Customize your view by showing or hiding columns using the Column button.
You can expand rows using the downward arrow to view some of the information about the types of vulnerabilities stacked, along with some additional bits, like if the type is exploitable.

Expand type of vulnerability on the Fluid Attacks platform
Note on duplicate vulnerability type
Note: You might see the same type of vulnerability listed multiple times. This is due to the grouping together of vulnerabilities with similar attributes (description, recommendations, severity, etc.) for easier management.

Spot newly reported vulnerabilities

Newly reported types of vulnerabilities are highlighted with a New label for seven days in the table, helping you quickly identify them.

Recognize newly reported vulnerabilities on the Fluid Attacks platform

Search the Vulnerabilities table

Role requirement info
Role required: User, Vulnerability Manager or User Manager
The search bar in the Vulnerabilities section lets you quickly find specific information within the table by showing only the rows whose content match your search. It is advisable you search by entering the name of the type of vulnerability, repository nickname or vulnerability location (e.g., file name).
Search the vulnerabilities table on the Fluid Attacks platform

Hide and show columns in the Vulnerabilities table

Role requirement info
Role required: User, Vulnerability Manager or User Manager

You can customize the table view by choosing which columns to display. Click the Columns button to open a pop-up window where you can hide or show columns.

Customize vulnerabilities table on the Fluid Attacks platform

Note on column preferencesNote: Your preferences for which columns to see persist across Vulnerabilities sections within your groups.

Filter the vulnerabilities table

Role requirement info
Role required: User, Vulnerability Manager or User Manager

You can filter the table to facilitate your search. To access the multiple options, click the Filters button.

Filter the vulnerabilities table on the Fluid Attacks platform
To clear a filter, click on the X next to it.

Clear filters of the vulnerabilities table on the Fluid Attacks platform

Note on filtersNote: Your filters persist only in the Vulnerabilities section of the group you applied them to.

View the top ten vulnerabilities to prioritize

Role requirement info
Role required: Vulnerability Manager or User Manager

To help you focus on the most critical issues, Fluid Attacks' platform shows you the top ten list of the types of vulnerabilities in your group whose remediation you should prioritize. This list is ordered by these issues' total Priority score, the share corresponding to the type of vulnerability out of the total priority units accumulated by a group, where priority units include (a) the root Priority; (b) any applicable prioritization policies; (c) the specific Priority units assigned to each vulnerability; and (d) a default score calculated using the CVSS as follows: (4^(CVSS-4)) / 4.096.

To view the list, click on Priority fixes in your Vulnerabilities section.

See button for top ten vulnerabilities on the Fluid Attacks platformPriority fixes button in Vulnerabilities

See the top ten vulnerabilities in group on the Fluid Attacks platformTop ten vulnerabilities to remediate in your group
Advice on top ten vulnerabilities
The Location column shows the selected individual vulnerability with the highest Priority score within the type of vulnerability. Click on it to see inside the vulnerability.

Generate reports

Role requirement info
Role required: Vulnerability Manager or User Manager

The Generate report option in the Vulnerabilities section allows you to download reports varying in detail. User Managers additionally have the option to generate security testing certificates. For details on available report types and how to generate them, read Download a report of detected vulnerabilities.
Generate reports on the Fluid Attacks platform

See where vulnerabilities are located

Role requirement info
Role required: User, Vulnerability Manager or User Manager
In the Vulnerabilities section, when you click on a type of vulnerability, you then access to a set of spaces dedicated to it. The header is visible across the latter, and it informs the group name, the type of vulnerability, and the amount of time it may take you to remediate it. The banner situated below the tabs informs the percentage of risk exposure (i.e., weakness towards cybersecurity events compromising information availability, confidentiality and integrity) that can be reduced upon remediating the type of vulnerability. This percentage depends on the Common Vulnerability Scoring System (CVSS) version you choose to see.

Understand the vulnerability header on the Fluid Attacks platform

The Locations section informs where in your system each vulnerability of the selected type was detected and provides relevant information for its management.
View vulnerabilities locations on the Fluid Attacks platform

These are the descriptions of what you find in the table:
  1. Location: The file path where this vulnerability type was found
  2. Advice on newly reported vulnerabilities
    Newly reported vulnerabilities are marked with the New label next to its location for seven days.
  3. Specific: The exact lines of code, inputs (e.g., password fields) or ports where the vulnerability was found (thus the repetition of files in Location sometimes)
  4. Status: Indicates whether the lines of code, inputs or ports are Vulnerable (the vulnerability is present) or Safe (the vulnerability is no longer present)
  5. Technique: The security testing technique used to detect the vulnerability, which can be one of these:
    • SAST: Automated static code analysis
    • DAST: Automated dynamic analysis
    • SCA: Automated analysis of third-party dependencies
    • CSPM: Automated analysis of cloud environments
    • SCR: Static code analysis done manually
    • PTaaS: Dynamic analysis done manually
    • RE: Reverse engineering of your system done manually
  6. Severity: The CVSS v3.1 or v4.0 score assigned to the vulnerability
  7. Priority score: The share corresponding to the vulnerability out of the total priority units accumulated by a group, where priority units include (a) the quantitative value corresponding to the qualitative assessment you or your team made of the affected root regarding how critical it is to your software development project, (b) your organization's prioritization policies based on testing technique that found the vulnerability, attack vector, and vulnerability exploitability, and (c) the result of (4^(CVSS-4)) / 4.096
  8. Report date: The date when the vulnerability was reported
  9. Reattack: Status of reattack requests or outcomes, if applicable, which may be one of the following:
    • Pending: Fluid Attacks is yet to communicate the outcome of the requested reattack
    • On hold: The requested reattack is not possible until your team solves an event impeding testing
    • Verified open: The reattack evidences the vulnerability is still present
    • Verified closed: The reattack evidences the vulnerability is no longer present
  10. Treatment: The defined treatment for the vulnerability:
    • Untreated: The vulnerability treatment assignment is due
    • In progress: The remediation of the vulnerability has been assigned to a member of your team
    • Temporarily accepted: The vulnerability is accepted until a defined date
    • Permanently accepted: The vulnerability is accepted indefinitely
    • Verified closed: The reattack evidences the vulnerability is no longer present
  11. Tags: Any tags you or your team have added to identify the vulnerability
  12. Treatment acceptance: The status of a vulnerability acceptance request, which may be one of the following:
  13. Assignees: The individuals assigned to address the vulnerability
 You can limit the information you see on the table by clicking Filters and using one or more of the available options.

Filter locations on the Fluid Attacks platform
Another way to quickly find what you are looking for in the table is typing search terms in the search bar. Immediately, only the rows whose content matches your search are shown.
Search vulnerability location on the Fluid Attacks platform

See inside a vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager

You can click on a vulnerability in the Locations section to open a pop-up window with multiple tabs: Details, Severity, Code (if applicable), Treatments (if applicable) and Tracking. This window has a unique URL for easy sharing with team members or Fluid Attacks staff, which you can copy by clicking on the link icon. Moreover, for many vulnerabilities, the window offers the How to fix button, which triggers the generation of custom remediation guides with artificial intelligence.

See the details of a specific vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager
The Details tab provides comprehensive information about the state of the selected vulnerability.

View vulnerability details on the Fluid Attacks platform

These are the details shown in this tab:

  • Location:
    • The file path where the vulnerability was detected
    • LoC/port/input: The specific line of code, port number, or input field affected
  • General details:
    • Report date: The date the vulnerability was reported
    • Closing date: The date it was verified the vulnerability is no longer present or, for another reason, its Status changed from Vulnerable to Safe
    • Closing reasons: The reason the vulnerability's Status changed from Vulnerable to Safe
    • Commit hash: ID of the commit that created the vulnerability
    • Vulnerability description: Fluid Attacks' definition of the type of vulnerability
    • Tags: User-defined tags for identifying the vulnerability
    • Priority: The importance rating for the vulnerability based on root criticality, prioritization policies, and the result of (4^(CVSS-4)) / 4.096
    • Zero risk: Indicates if the Zero risk treatment has been applied to this finding (your organization requests this treatment if the finding poses no risk)
  • Reattacks:
    • Last request: The date of the most recent reattack request
    • Requester: The email of the member who requested the last reattack
    • Cycles: The total number of reattack requests for this vulnerability
    • Efficiency: The percentage representing one positive reattack outcome (confirming the vulnerability was fixed) out of all the reattacks carried out
  • Treatments:
    • Current: The currently applied treatment for the vulnerability
    • Assigned: The email of the member assigned to address the vulnerability
    • Date: The date the treatment was applied
    • Expiration: The expiration date for a Temporarily accepted treatment
    • Justification: The reason provided for applying the Temporarily accepted treatment
    • Changes: The number of times the treatment of that vulnerability has changed
  • Package details: (Visible only for vulnerabilities found via SCA)
    • Name: The name of the vulnerable package
    • Vulnerable version: The affected package version
    • CVE: The associated Common Vulnerabilities and Exposures (CVE) identifier of the vulnerable version

Learn the severity of a specific vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager

The Severity tab provides detailed information about the CVSS severity score assigned to the specific vulnerability.

Know vulnerability severity on the Fluid Attacks platform

These are the details shown:

  1. Vector CVSS v3.1/4.0 string: The values used to derive the score represented textually
  2. Advice on CVSS vector string
    Click the string to follow the link to the score calculator showing said values.
  3. Severity CVSS v3.1/4.0 score: The calculated severity score and its corresponding qualitative rating
  4. The severity score breakdown showing the values for each metric along with a visual representation of the value
  5. Advice on CVSS metrics
    Hover over the metric to reveal its definition and the description of its possible values.

See the vulnerable line of code

Role requirement info
Role required: User, Vulnerability Manager or User Manager
The Code tab highlights the vulnerable code snippet and shows the code surrounding it, allowing you to pinpoint the issue directly within your codebase.

View the vulnerable line of code on the Fluid Attacks platform

Edit treatment for a vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager

The Treatments tab allows you to manage the treatment for the vulnerability, as well as manage tags, link to the related issue in a bug tracking system, and priority score. Read about these fields in Assign treatments.

Manage vulnerability treatments on the Fluid Attacks platform

See the history of a specific vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager

The Tracking tab allows you to see the management decisions made over a vulnerability over time, including changes in status, treatments, and other relevant details.

See timeline of a vulnerability on the Fluid Attacks platform

Role requirement info
Role required: User, Vulnerability Manager or User Manager
You can easily share the pop-up window for a vulnerability with others, as it has got a unique URL containing the vulnerability ID. To copy the URL, simply click on the link icon.
Get a vulnerability link on the Fluid Attacks platform

Get a custom guide to fix the vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager
Warning on AI generated fixes
Always review the accuracy of remediation guides generated with AI.
From the pop-up window, you can immediately get a step-by-step, custom, AI-generated guide to remediate the vulnerability. Simply click the How to fix button and let Fluid Attacks' Custom fix feature create this useful resource for you to plan the remediation of the vulnerability in question. Bear in mind that this feature is not available for some vulnerabilities.

Fix with AI on the Fluid Attacks platform

See the description of a type of vulnerability

Role requirement info
Role required: User, Vulnerability Manager or User Manager

The Description section of a type of vulnerability provides its definition and relevant characteristics to more clearly understand the issue and possible fixes.

View vulnerability description on the Fluid Attacks platform

Specifically, this section provides the following information:
  1. Description: Fluid Attacks' definition of the type of vulnerability in question
  2. Requirements: The security requirements, according to Fluid Attacks' classification, that may have been violated
  3. Impacts: What an attacker can achieve exploiting the vulnerability
  4. Threat: The attack vector an attacker has to follow and the privileges they require to exploit the vulnerability
  5. Recommendation: Advice for remediating the vulnerability
  6. Do you need help with this vulnerability?: Link to schedule a video meeting to discuss the vulnerability with a member of Fluid Attacks' hacking team
  7. Default vector CVSS v3.1/4.0 string: The textual representation of the values used to derive the default score for this type of vulnerability
  8. Default severity CVSS v3.1/4.0 score: The default severity score calculated for this type of vulnerability and its corresponding qualitative rating

See the severity of a type of vulnerability

Role requirement infoRole required: User, Vulnerability Manager or User Manager

The Severity section of a type of vulnerability details the values it was given in each of the metrics of the Common Vulnerability Scoring System (CVSS) v4.0. You can hover over the metrics to see their definitions and the descriptions of their possible values.

    View the severity of the type of vulnerability on the Fluid Attacks platform

    See evidence of exploitability

    Role requirement info
    Role required: User, Vulnerability Manager or User Manager
    In the Evidence section of a type of vulnerability you may find screenshots of c ode snippets demonstrating the presence of the vulnerability and screenshots or videos showing the ethical exploitation of the vulnerability in question. You can click on these resources to enlarge them and then download them. Learn more details about this section in Examine the evidence of exploitability.

    See vulnerability evidence on the Fluid Attacks platform

    See the timeline of a type of vulnerability

    Role requirement info
    Role required: User, Vulnerability Manager or User Manager
    In the Tracking section of a type of vulnerability, you can v iew its timeline, detailing cycles which are marked by reattack outcomes and any temporary and permanent acceptance treatments. To see the timeline for a vulnerable line of code, input or port , refer to See the history of a specific vulnerability.

    See the history of a type of vulnerability on the Fluid Attacks platform

    See affected records

    Role requirement info
    Role required: User, Vulnerability Manager or User Manager

    The Records section of a type of vulnerability contains sensitive information gathered by Fluid Attacks' hacking team during ethical vulnerability exploitation. This information is specific to your organization and may include financial details (e.g., account numbers, transactions, credit card numbers), personal data (e.g., phone numbers, contacts, personally identifiable information) and technical information (e.g., roles, keys, access tokens).

    See affected records on the Fluid Attacks platform

    Comment on a type of vulnerability

    Role requirement info
    Plan required: Advanced
    Note on Consulting section in Essential
    The Consulting section is available in the Essential plan in view-only mode.
    Role requirement info
    Role required: User, Vulnerability Manager or User Manager

    The Consulting section is a forum-like space for discussions between your team and Fluid Attacks about the type of vulnerability in question. Any member can post a new thread or reply to an existing one. To learn more about this help option, read  Comment on Consulting sections.

    Comment on a type of vulnerability on the Fluid Attacks platform

    Notify of a type of vulnerability

    Role requirement info
    Role required: Vulnerability Manager or User Manager

    The Fluid Attacks platform allows you to send an email notification to members informing them of the vulnerabilities still present of a specific type. To do this, follow these steps:
    1. Access the group where the target type of vulnerability was detected.

    2. In the Vulnerabilities section, click on the type of vulnerability.
    3. Select a type of vulnerability on the Fluid Attacks platform

    4. In the Locations section, click on the Notify button.
    5. Notify team members of vulnerabilities on the Fluid Attacks platform

    6. In the pop-up window, confirm the delivery by clicking Notify.
    7. Confirm vulnerability notification on the Fluid Attacks platform

    The notification is then sent to members who have Vulnerability alert enabled.

    Request reattacks

    Role requirement info
    Role required: User, Vulnerability Manager or User Manager

    From Fluid Attacks' platform, you can send requests to verify the effectiveness of your code fixes. These retests done by Fluid Attacks are called reattacks. To request them, you use the Reattack button in the Locations section. Find the entire details about this feature in Verify fixes with reattacks.

    Find the retest option on the Fluid Attacks platform

    Role requirement info
    Role required: Vulnerability Manager or User Manager
    Note on the User role
    Members with the User role can assign fix work to themselves and edit the External BTS, Tags and Priority values.
    You can modify vulnerability management decisions from the platform's Locations section. To make your modifications, follow these steps:
    1. Go to the Locations section of the target type of vulnerability.

    2. In the table, select the checkbox on the left of the vulnerability that you need to edit.

    3. Click the Edit button.
    4. Edit locations on the Fluid Attacks platform

    5. Make the necessary changes in the form. Treatment and Assigned can only be modified by Vulnerability Managers and User Managers. (For the descriptions of the fields, read Assign treatments.)
    6. Add new vulnerability tag on the Fluid Attacks platform

    7. Click on Confirm to apply the changes.

    Approve vulnerability acceptance requests

    Role requirement info
    Role required: Vulnerability Manager or User Manager

    In the Locations section, you can approve the request for a vulnerability to be temporarily or permanently accepted. You do this with the Treatment acceptance button. To learn all the details, read about this topic in Assign treatments.

    Accept vulnerability treatment on the Fluid Attacks platform
    Free trial message
    Free trial
    Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.