Skip to content
Fortworx

Scopes

Overview

Scopes define different parts of your system, when it comes to reporting vulnerabilities. For example, scopes can be Web and API.

Defining scopes helps researchers use a more accurate language in their reports. It also helps Fortworx assign the report to the right team member and improve its response regarding the severity of a report.

Defining scopes

You can define your Workspace scopes on the Scopes page under the Workspace menu. Each scope has a few attributes:

  1. Name: The name of the scope which helps you identify it. “Web”, “API” or “Language Model” as good examples.
  2. Description: A description of the scope. This helps Fortworx identify the scope in a report. Use clear and descriptive language to define the scope here.
  3. Lead: The primary responsible team member for this scope. This team member will be notified when a report related to this scope is received.
  4. Eligible for Bounty: Are reports related to this scope eligible for your bounty program.
  5. Maximum severity: The maximum severity that can be assigned to this scope, using a number between 0 and 10.

Best Practices in Defining Scopes

Use URLs

As security reports are usually related to a public web based endpoint, using a URL when defining the scope is always a good idea. For example, define your web application scope with something like this:

  • Name: Web Application
  • Description: Any report related to https://app.example.com including all protected and unprotected paths.

Assign realistic max severities

Try to assign realistic max severities when it comes to scopes. For example, if any security vulnerability in an internal system that doesn’t expose any sensitive information isn’t going to demand an urgent fix, assigning a maximum severity of 10 to it is going to mislead the system into assuming a higher priority for the reports related to this scope.

You can use a scale system to help you with realistic max severity assignments. A max severity of 0 means valid vulnerability reports will require a fix within the next month while a max severity of 10 means reports of a serious security vulnerability where customer personal information is exposed to the public, will require an immediate fix.