Skip to main content

Reviewing

Reviewing a Report

Open a report and click "Create Review." A review captures:

  • Whether the issue was verified (reproduced).
  • The organization's severity assessment.
  • Whether the issue has been fixed.
  • Classification flags — PII, PHI, access control, confidentiality, integrity, availability.
  • Reviewer notes — internal analysis in Markdown.

You can create multiple reviews as the investigation progresses. Each review is timestamped and attributed to the reviewer.

Internal Messages

Organization members can mark messages as internal, which makes them visible only to other organization members. This is useful for internal discussion that should not be shared with the reporter.

Payments

Set a report's severity and payment amount from the report page. If your organization has configured a payment schedule (a recommended amount per severity level), the recommended amount is shown as a hint when you pick a severity — you can still enter any amount. Reporters can see the payment you set, and raise any disagreement in the report's message thread.

Reporters drive invoicing: once a fix is live and the reporter has confirmed it, they select which reports (those with a payment set) to invoice, and an invoice is generated and emailed to both sides.

Publishing

When a report has been reviewed, you can publish it to your connected integrations (Linear, Slack). Publishing creates an issue in your issue tracker and posts a notification to your messaging channel. See the Integrations section for setup details.