Skip to content
Fortworx

Scopes

Overview

Scopes define different parts of your system when it comes to reporting vulnerabilities. For example, scopes can be Web and API.

Defining scopes helps researchers use more accurate language in their reports. It also helps Fort AI assign the report to the right team member and assess the severity of a report more accurately.

Defining Scopes

You can define your workspace scopes on the Scopes page under the workspace settings. Each scope has a few attributes:

  1. Name: The name of the scope which helps you identify it. “Web”, “API” or “Language Model” are good examples.
  2. Description: A description of the scope. This helps Fort AI identify the scope in a report. Use clear and descriptive language to define the scope here.
  3. Lead: The primary responsible team member for this scope. This team member will be notified when a report related to this scope is received. The Lead also approves outbound correspondence composed by other team members on reports in this scope. See Correspondence Approval for details.
  4. Eligible for Bounty: Whether reports related to this scope are eligible for your bounty program.
  5. Maximum Severity: The maximum severity level that can be assigned to reports in this scope. Choose from: Undetermined, Info, Low, Medium, High, or Critical.

Best Practices in Defining Scopes

Use URLs

As security reports are usually related to a public web-based endpoint, using a URL when defining the scope is always a good idea. For example, define your web application scope with something like this:

  • Name: Web Application
  • Description: Any report related to https://app.example.com including all protected and unprotected paths.

Assign Realistic Max Severities

Try to assign realistic max severities for your scopes. For example, if a security vulnerability in an internal system that doesn’t expose any sensitive information isn’t going to demand an urgent fix, assigning a maximum severity of Critical is going to mislead the system into assuming a higher priority for reports related to this scope.

Consider what level of response each scope warrants:

  • Low — Valid reports will require a fix within the next month.
  • Medium — Reports need attention within a couple of weeks.
  • High — Reports should be addressed within days.
  • Critical — Reports of serious security vulnerabilities where customer data is exposed, requiring immediate action.