Security Issues
Overview
The Issues page centralizes security findings from your attack surface. Track vulnerabilities, misconfigurations, and exposures with a structured remediation workflow.
Issue Sources
Discovery Findings
Issues discovered through scanning:
- Open ports exposing services
- Outdated software versions
- Misconfigured servers
- Expired certificates
- Missing security headers
Penetration Testing
Findings from pentest campaigns:
- Exploitable vulnerabilities
- Business logic flaws
- Authentication issues
- Injection points
Manual Reports
User-reported issues:
- Bug bounty submissions
- Internal discoveries
- Third-party notifications
Issue Dashboard
Key Metrics
| Metric | Description |
|---|---|
| Total Open | Unresolved issues |
| Critical/High | Severe issues |
| Aging | Issues past SLA |
| Resolved | Recently fixed |
Views
| View | Content |
|---|---|
| All Issues | Complete issue list |
| My Issues | Assigned to you |
| Critical | Highest severity only |
| Aging | Past remediation SLA |
Issue Severity
Severity Levels
| Level | Description | SLA |
|---|---|---|
| Critical | Immediate exploitation risk | 24 hours |
| High | Significant risk | 7 days |
| Medium | Moderate risk | 30 days |
| Low | Minimal risk | 90 days |
| Informational | No direct risk | No SLA |
Severity Factors
What determines severity:
- Exploitability
- Data exposure risk
- System criticality
- Internet accessibility
- Existing controls
Issue Details
Issue Fields
| Field | Description |
|---|---|
| Title | Brief description |
| Severity | Risk level |
| Asset | Affected asset |
| Category | Issue type |
| Description | Full details |
| Evidence | Supporting proof |
| Remediation | Fix instructions |
| Status | Current state |
Evidence
Evidence includes:
- Screenshots
- Request/response logs
- Tool output
- Steps to reproduce
Issue Workflow
Status Flow
New → Confirmed → In Progress → Fixed → Verified → Closed
↓ ↓
Won't Fix Reopened
Status Definitions
| Status | Meaning |
|---|---|
| New | Just discovered |
| Confirmed | Verified as valid |
| In Progress | Being remediated |
| Fixed | Remediation applied |
| Verified | Fix confirmed working |
| Closed | Issue resolved |
| Won't Fix | Accepted risk |
| Reopened | Issue returned |
Managing Issues
Triaging Issues
When new issue arrives:
- Review issue details
- Verify it's valid
- Assess severity
- Assign to owner
- Set target date
Assigning Issues
- Open issue
- Click Assign
- Select owner
- Add notes
- Save
Updating Status
- Open issue
- Click Update Status
- Select new status
- Add comment explaining change
- Save
Remediation
Remediation Guidance
Each issue includes:
- Description of the problem
- Why it matters
- How to fix it
- Verification steps
Remediation Steps
Understand
Review issue details and impact.
Plan
Determine remediation approach.
Implement
Apply the fix.
Verify
Confirm the issue is resolved.
Close
Mark issue as closed.
Verification
Before closing:
- Re-test the vulnerability
- Confirm it's not exploitable
- Document verification method
- Request independent verification (for high/critical)
False Positives
Handling False Positives
When a finding isn't valid:
- Open issue
- Click Mark as False Positive
- Provide explanation
- Add evidence
- Submit
False Positive Review
False positives are reviewed:
- Automated checks updated
- Prevent future false positives
- Maintain accuracy
Risk Acceptance
When to Accept Risk
Accept risk when:
- Remediation cost exceeds risk
- Compensating controls exist
- Business requires the configuration
- Technical limitations prevent fix
Accepting Risk
- Open issue
- Click Accept Risk
- Provide justification
- Set review date
- Get approval (if required)
- Submit
Risk Acceptance Review
Accepted risks are reviewed:
- Periodic re-evaluation
- Manager approval
- Documentation for audits
Reporting
Issue Reports
Generate reports:
- Open issues summary
- Issues by severity
- Issues by asset
- Aging report
- Trend analysis
Compliance Evidence
Issue management provides evidence for:
| Framework | Requirement |
|---|---|
| SOC 2 | CC7.1, CC7.2 |
| ISO 27001 | A.12.6.1 |
Integration
Alerting
Configure alerts for:
- New critical issues
- SLA breaches
- Status changes
- Issue reopened
Best Practices
Triage Quickly
New issues should be triaged within 24 hours. Assign owners promptly.
Meet SLAs
Track SLA compliance. Escalate aging issues before they breach.
Verify Fixes
Always verify remediation. Don't just trust "it's fixed."
Document Everything
Maintain clear records for audit purposes.