Skip to main content

Reports

Submitting a Report

As a reporter, click "New Report" from your dashboard. Select the organization you are reporting to (if you belong to more than one), then fill in:

  • Title — a brief summary of the vulnerability.
  • Description — what the vulnerability is, with as much detail as possible. Markdown is supported.
  • Reproduction Steps — step-by-step instructions for reproducing the issue. Include URLs, parameters, tools used, and screenshots where helpful.
  • Impact (optional) — describe the potential consequences if the vulnerability were exploited.
  • Suggested Severity (optional) — your assessment of severity on a 1-5 scale.
  • Suggested CWE / OWASP (optional) — if you know the applicable weakness classification.

You can attach files (PDF, images, video) and embed images inline in Markdown fields by dragging them into the editor.

Each report has a tracking ID that you assign, so you can cross-reference it with your own records.

Report Lifecycle

Reports move through these statuses:

  • Open — newly submitted, awaiting review.
  • In Review — an organization member is actively reviewing the report.
  • Closed — the issue has been addressed.
  • Invalid — the report does not describe a valid vulnerability.
  • Duplicate — the issue was already reported.
  • Withdrawn — the reporter withdrew the report.
  • Accepted Risk — the organization acknowledges the issue but has chosen not to remediate it.
  • Informational — the report is noted but does not require action.

Messages

Both reporters and organization members can post messages on a report. Messages support threading (replies). You will receive a notification when a new message is posted on one of your reports.

Getting Paid

If the organization offers payment, you can be paid for a report once two things are true:

  • The fix is live. The organization has shipped a fix to production.
  • You have confirmed the fix. When the fix goes live, open the report, re-test the issue, and choose Confirm fix. If it is not really fixed, choose Disconfirm fix instead, and it goes back to the organization.

The organization also sets a payment amount on the report. Once a report is live, confirmed by you, and has a payment, it is ready to invoice.

You never write an invoice by hand. You choose the reports you want to be paid for, and we build the invoice for you.

Set up your billing details once

Before your first invoice, fill in your billing profile: who to pay, your billing address, your tax ID (if you have one), the email for payment, your payment details, and your currency. You enter these once, and every invoice is filled in from them automatically. Each invoice also keeps a copy of these details as they were the day it was made, so if you change banks later, your old invoices stay the same.

Create an invoice

When you have one or more reports that are ready, a Select Reports for Invoicing button appears. Click it, check the reports you want to invoice, and submit. From there, we automatically:

  • add up the payments and create the invoice,
  • lock those reports so the amount can't change while you are being paid,
  • create a PDF and email it to you and the organization.

If you report to more than one organization, you get a separate invoice for each organization.

Locked reports

Once a report is on an invoice, it is locked. Its payment can't be changed while the invoice is active. This protects you, so no one can quietly change what you are owed.

Changed your mind?

Either you or the organization can Cancel Invoice. Cancelling unlocks the reports and puts them back on your ready list, so you can invoice them again whenever you like.