Reports
Reports are the core data structure in SevHunt, tracking security issues from submission to close. This document serves as a reference guide for a report's fields and features.
Report statuses
The status field determines how a report appears in listings and statistics:
Draft
New reports start as drafts, and are only visible to the creator until they are submitted. Users can start a draft and come back at any time in the future, either to submit it (→ New) or delete it (→ Deleted).
If a user wants help with a draft before submission, they can send a member of the triage team a link to the draft.
New
Submitted draft reports land in this status, awaiting triage to either accept (→ Accepted) or reject (→ Rejected) them. When a report's status changes out of "New", the reporter is notified via email.
Accepted
Accepted reports are awaiting a fix (→ Fixed), and should be awarded soon after acceptance. Reports left unawarded are searchable in the report listing.
Fixed/Rejected
Fixed and rejected reports are considered "done", but can always be re-opened if new information arises.
Deleted
Reports can only be deleted from the "Draft" state, and do not show up in any listings in SevHunt. Once a report is submitted it can not be deleted or hidden from (admin/triage) views.
Report awards
Reports can be awarded at any time with an arbitrary number of Points, which are later spent in your Store.
Points are more like tickets at an arcade than a "virtual currency" - they can't be transferred between users or used ourside your Store.
That said, depending on what's in your Store, you should be careful about how much you reward. Report settings can help guide you on a typical "payout" based on the report's severity.
Report severity
Reports have a severity level of None, Low, Medium, High, or Critical. This matches scoring systems like CVSS, but SevHunt doesn't have an opinion on what warrants a given level, so ultimately it's your choice.
That said, here's an example of a "gut check" scoring system, if you want something practical to start with:
| Severity | Explanation |
|---|---|
| None | No conceivable security impact, we will not take any action in response to this report. |
| Low | We plan to fix the issue, whether it has security impact or not. |
| Medium | It'd be unfortunate if someone exploited this but not the end of the world. |
| High | This would have some tangible impact on the company if exploited. |
| Critical | Not fixing this could be disastrous for our company's reputation / integrity. |
In reality, internal issues are often scored similarly and not with a calculator meant for CVEs.
One last piece of advice: If you're waivering between None and Low (i.e. thinking of rejecting the report), ask yourself: "If someone Tweeted this out, would we be embarrassed?". If the answer is no, you're probably good to reject.
Report replies
You can use the "Reply" tab at any time to chat with the reporter. Each reply triggers an email, but otherwise does not prompt "the other side" to reply. If a report is stalled long enough, don't be afraid to use another channel like chat (Slack).
Report encryption
When a report is created or edited, its contents are encrypted using a scheme that allows the reporter and the triage team to maintain their own separate set of public/private key pairs.
If both the reporter and the triage team loses all copies of their keys, the report will remain "sealed" and the report will show up as "ENCRYPTED" in listings. To move forward from this state, users and the triage team can rotate to new sets of keys and continue to work on new reports.
The best way to prevent this case from happening is to save the passphrase associated with your private key in a password manager - you'll be prompted to do so when you create your organization or rotate to a new user/organization key.