Receiving Your First Report
Overview
Once your Workspace is set up and its email address is advertised, you can start receiving reports from security researchers. This guide will help you understand how to receive and manage reports in Fortworx.
In this tutorial we will learn how to:
- Receive our first report
- Use Fortworx suggested responses
- Resolve reports
Receiving Reports
When a security researcher finds a vulnerability in your application, they will report it to you via the email address you provided in your Workspace. Sometimes, the email includes details about the vulnerability with attachments, proof of concepts and other relevant information. However sometimes the email only contains a brief description of the vulnerability and the researcher will provide more details once you acknowledge the report.
Let’s start by sending a security vulnerability report:
Open up your email client and compose an email to your Fortworx workspace’s email address (you can find this when your dashboard is empty or on your Workspace settings page):
Hi!
I’ve found a security issue on your website. How can I report this issue safely?
Send your report!
Now let’s switch roles to the workspace user, you!
Wait a few seconds and your email should show up as a report on the dashboard. Go ahead and click on the report and see what’s inside.
Responding to Reports
Given that our report was an offer of disclosing a vulnerability, you will see the reports as just that: an offer to disclose a security vulnerability.
This will prompt Fortworx to suggest a reply to the reporter, to start the conversation and ask them to provide further details. You can accept this suggestion by clicking on “Respond by asking for more information” button.
You can review the suggested response and send it to the researcher. Note that this changes the status of the report from Investigating to Waiting for information
What is the report status?
All reports have a single status. This status changes as the conversation between you and the researcher continues. You can also change the status on the report or by archiving or closing the report.
Read more about report statues.
Conversations
Any response to the researcher will be sent to them by email. The email will be from your Fortworx Workspace and to their original email address. In our case, we sent an email to the researcher and asked for more information about the potential vulnerability.
Let’s switch roles again and respond to this request:
Hi!
I found a security issue on your website. The issue is related to the change password flow on your site. On the Change Password page, go to the developer tools and view the source. You can see the current password in clear text.
The issue is related to the change password flow on your site. On the Change Password page, go to the developer tools and view the source. You can see the current password in clear text.
This means you are storing the password in clear text in your database which is very bad practice.
Let’s send this email!
When this email is received by your Workspace, Fortworx will analyze it and update the report attributes, including severity, vulnerability type and scope.
Investigating and Resolving the Issue
Ok, so now that we know we have a potentially serious security issue on our hand. The report status is now changed to Investigating and we’re going to confirm this issue is a valid one.
After investigating the issue, we found out that we store passwords as clear text in our DB. Let’s change the report status to Accepted and proceed to fix the issue.
Changing the status to Accepted prompts Fortworx to suggest a reply to the researcher. Accept the suggestion, review the suggested response and send it.
Now that you have fixed the issue, we can change the status of the report to Resolved . This status change will trigger a response suggestion to the researcher, informing them of the fix.