Releases

2026.03.10

MCP (Model Context Protocol) server

Reporter now ships with a built-in MCP server, allowing AI assistants to interact with your Reporter instance through natural conversation.

Short screen recording showing the MCP server in action:

When creating an API token, Reporter also provides the MCP configuration JSON. Copy this to your AI client to give it access to more than 100 Reporter tools covering the full assessment lifecycle.

Works with popular AI assistants such as Claude and ChatGPT, self-hosted AI tools, and developer environments like Cursor or Visual Studio Code to assist in code reviews or white-box assessments, as well as any other MCP-compatible client.

This is the first step in a broader set of AI capabilities planned for upcoming releases.

Note on AI usage: When working with sensitive assessment data, avoid sending it to external AI providers. For security-sensitive workflows, self-hosted AI models are recommended.

Visibility controls for checklists

You can now fine-tune how checklists are made visible to client users. The following visibility options were added:

Private: Hidden from clients and visible only to researchers.
Unpublished: Hidden from clients while the assessment is in progress and automatically published upon completion. Optionally, checklist progress can be shown to clients without revealing detailed results (e.g., pass/fail status).

Joined code blocks

Added support for joined code blocks in Markdown.

Two types of joined code blocks are supported:

Vertically joined code blocks allow snippets with different syntax highlighting styles to be combined. This is useful when a single example contains multiple languages.

Horizontally joined (side-by-side) code blocks improve readability for request/response examples and other related snippets.

Improvements

Added a new Compliant / Not Compliant scoring system.
The 2025 version of the OWASP Top 10 is now available, both as an assessment template and a checklist template. On existing installations, admins or template managers can add these templates by going to the assessment template or checklist template page, and clicking the "Clone default template" button.
Added an option to the Findings Table report component to display a column with the original severity of each finding.
The Research Started On report component now allows selecting an end date different from the delivery date.
Admins are now notified by email when a webhook fails. OAuth connection failures notify only the user who configured the connection.
Checklists can now be reordered in assessments and assessment templates that contain multiple checklists.
Admins can now cancel assessment deletion requests submitted by clients.

Bug fixes

Image tags are now fully stripped when creating a template from a finding (including parameters such as {scale=100}).
Fixed an issue where the Request revision button in the Summary tab of the assessment overview did not function correctly.
Fixed a bug that caused an error to appear when deleting an assessment.
Fixed a server error that occurred when resolving a finding without a severity.
Fixed a 500 API error that occurred when updating custom fields without permission to update default fields.
Restored missing tooltips for Markdown form element labels.
Fixed an issue where certain characters caused section headers to terminate prematurely in PDF reports.
Fixed an issue where some properties did not update when editing an assessment checklist.
Fixed an error in the online report when a report page was missing a background.
Fixed minor badge styling issues in reports.

2026.02.10

Download Show checksums

n8n

The latest release of Security Reporter includes an integration with n8n, making it possible to add another layer of automation and customization on top of Security Reporter without having to write a single line of code!

Follow the guide here to set up the Reporter integration in n8n.

Our latest blog shows an example of how you can integrate Reporter with Jira using n8n.

Other Improvements

In the finding layout, you can now configure conditions to show or hide fields based on assessment and client fields. The n8n blog post includes an example in which the Jira Issue field is displayed only when it is not empty.
OWASP ASVS v5 has been added to the checklist templates. You can add it to the list of checklist templates by going to Templates > Checklist Templates, clicking Clone default template, and selecting OWASP Application Security Verification Standard v5.
Admin users can now be assigned to test cases directly from the checklist table.
Editor autocomplete has been improved. You can now use the Tab key to accept a suggestion, and [mask] has been added to the autocomplete options.
Add 'Show details' tooltip to tool finding titles.
Documentation for using custom CA certificates has been added.
An option has been added to URL custom fields to control link behavior, either opening in a new tab or the current window. For existing custom fields, links now open in a new tab by default.
The section status badge that appears in the assessment overview tab is now smaller.
A button has been added to the top of a finding that scrolls to the latest retest when clicked:

Report compilation bug fixes

Fix an issue where a link in a PDF that continues on the next page would make the whole page clickable.
Fix an issue where rendering inline code inside a table would crash report compilation.
Fix an issue where mark tags could highlight the wrong text when used in combination with Unicode characters.
Fix an issue where inline code started a new paragraph.
Fix a bug that caused the PDF index to contain duplicate entries.
Fix several additional rare issues related to PDF compilation.

Other bug fixes

Fix an issue where the 'Add Checklist' button was visible to users without checklist creation permissions.
Fix a bug that caused targets to not appear in the targets list after adding them.
Fix an issue where the checklist table always showed the pass rate in the PDF report, even if the option was turned off.
Fix an issue where the pass rate text could not be translated.
The deprecated 'X-XSS-Protection' header has been removed.
Fix results when filtering assessments by 'Research phase completed at'.
Fix a bug that caused custom field regex validation to fail when using a pipe operator.
Boolean custom field changes in the theme editor are now saved.
Fix a bug that caused theme exports to fail when the colors of a custom field had previously been modified in the theme settings.
Fix a bug that made it impossible to change the 'password-protected PDF reports' setting from 'false' to 'true'.
Fix a bug that caused the add snippet button to not work in the assessment template edit page.
Fix a bug that caused the user page to throw an error if the logged-in user had no timezone.
Fix a bug in pages with a resizable split pane (such as the finding layout edit page) that caused the divider to stick to the mouse.
Fix a bug that sometimes caused a 500 Internal Server Error on the task page.
Fix a bug that caused result icons to become misaligned in the checklist table.
Fix a bug that caused the result of a test case to not get updated when the vulnerability state of a finding changed.

2025.12.30

Download Show checksums

API Filtering

In the previous release, we introduced new API filter operators such as greater-than and not-equal. A bug in that implementation caused some API integrations to break when multiple filter values were used. Previously, a filter like filter[severity]=1,2 returned results where severity = 1 OR severity = 2. Due to the bug, this was incorrectly evaluated as severity = 1 AND severity = 2, resulting in no matches. This issue has now been fixed. Multiple filter values once again default to OR behavior.

In addition to this fix, we added support for more advanced filtering. Filters prefixed with and_ require all conditions to be met, enabling use cases such as “not 1 AND not 2.” For example: filter[and_severity]=<>1,<>2.

Other Improvements

Improved several UI interactions with checklists:
- You can now collapse categories while filtering.
- You can now stop editing test cases by clicking on them.
- Test case finding link now has a visual indicator that findings are a link.
- Those finding links now open in a new tab.
- When the checklist is updated, test cases you are editing no longer reload.

Bug Fixes

Fixed unreliable syncing to Elasticsearch, causing some or all results to be missing from search results.
Fixed the "Add Target" button in the targets tab on the main assessment page.
Fixed a bug where non-markdown text fields, such as names and titles, that allow Todo tags, were saved HTML-encoded.
Fixed an issue where Elasticsearch would reindex every night for large databases.
Requesting a revision without text now correctly displays the validation error instead of reloading the page.
Tables in PDF reports no longer sometimes run off the page if there is a placeholder in them.

2025.12.11

Download Show checksums

Elasticsearch and Redis updated

Breaking change, read the upgrade guide! - Likelihood of Impact: Very High

Reporter has been updated to use Elasticsearch 8 and Redis 8. You MUST upgrade to Elasticsearch 8 and Redis 8 as part of this upgrade! Reporter will not be compatible with Elasticsearch 7 after this upgrade.

Use the following instructions to set up Elasticsearch 8 and Redis 8:

Upgrade Guide

Dynamic comparison operators for API filters

You can now use comparison operators in API filters for exact fields by prefixing the field name. For example, filter[severity]=<2 returns records where severity is less than 2.

Operator	Description	Example
(none)	Equal to	`filter[severity]=2`
`<>`	Not equal to	`filter[severity]=<>2`
`<`	Less than	`filter[severity]=<2`
`<=`	Less than or equal to	`filter[severity]=<=2`
`>`	Greater than	`filter[severity]=>2`
`>=`	Greater than or equal to	`filter[severity]=>=2`

New checklist templates

The following checklist templates are now available:

OWASP AI Testing Guide - Version 1
OWASP Top 10 for LLM Applications - version 2025
OWASP Mobile Top 10 - version 2024
OWASP API Security Top 10 - version 2023
OWASP Top 10 CI/CD Security Risks - version 2023
OWASP Kubernetes Top 10 - version 2022
OWASP Cloud-Native Application Security Top 10 - version 2022
OWASP Top 10 - version 2021
OWASP Docker Top 10 - version 2020
OWASP Internet of Things Top 10 - version 2018

You can add any of the new templates if you are an admin or a checklist template manager by following these steps:

Go to the Checklist templates page.
Click Clone default template.
Select the template you want to add.
Click Create fresh copy of template.

new checklist templates instructions

Improvements

[todo] tags are now also rendered in text fields, for example, in the title of the finding (template) edit page.
The assessment wrench dropdown menu has been restructured for improved clarity.
Targets on the finding show page are now rendered as links. Clicking on a target opens a modal with its details.
Add storage and Elasticsearch info to the status report.

Bug Fixes

Updated several third-party dependencies.
Fixed inconsistent expand/collapse behaviour in the checklist table.
Fixed an error that occurred when loading the researcher panel in certain assessments.
Resolved out-of-memory issues and a MySQL packet limit issue with the tool import.
Fixed a bug where test cases on the finding show page would not open the checklist modal after using inline edit on another field.
Fixed an issue where unclosed callouts in markdown were not rendered properly or caused an error.
Fixed an error that caused documents to not be rendered correctly in the researcher panel target details.
Fixed a bug that prevented the project admins from seeing assessment activity.
Fixed a bug where filtering assessments by manager or researcher did not work.
Fixed broken links to "suggest" and "create templates from findings".
Fixed an error that occurred when trying to create a file custom field.
Fixed a bug that cause the result of a test case to become desynced from the related findings.

2025.11.12

Download Show checksums

Duplicate Assessments

With just a few clicks, you can now duplicate entire assessments, making this functionality perfect for setting up recurring engagements. Create your assessment once, then clone it for each new iteration or project. All your targets, structure, and even unresolved findings can be carried over.

You can access the duplication feature from the Assessment dropdown on the main assessment page. When you duplicate an assessment, basic information and the assessment structure is always copied. Other elements, like the researcher briefing, targets, and unresolved findings, can be toggled. Duplicated assessments are always assigned a "Duplicated - Needs Review" tag, allowing you to find them easily. See the documentation for more details.

Duplicate assessments form

Targets in the Researcher Panel

Targets are now directly accessible from the Researcher Panel. Switch views using the new buttons in the top-left corner to easily jump between findings and targets.

In the Targets view, you can view details, create, edit, delete, and reorder targets without needing to refresh the page. This gives researchers and managers a smoother and more efficient experience.

Targets in researcher panel

Improvements

Added a new [mask] tag to the markdown editor that can be used to mask sensitive information, such as credentials, by default. An icon is displayed next to the mask, which can be used to reveal the contents.
- Note that the content is not hidden in PDF reports!
Added retest icons to findings in the section view in the researcher panel that show the status of the latest retest.
Search indexing is now much faster. You should be able to use the search functionality much more quickly after a server restart.
Task indicators are now red if you have overdue tasks, and orange if you have tasks due today.
You can now assign assessment tasks to global admins who are not assigned to the particular assessment.
Non-client users, such as researchers and assessment managers, now consistently see unpublished findings in all draft reports and on the web interface. For example, unpublished findings are now counted in report components that count findings by severity.

Bug Fixes

Fixed an issue where the loading indicator didn't disappear in the finding search modal.
Applying filters in the multi-filter search on the assessment index page now properly updates the URL.
The assessment analytics chart (second chart on the analytics page) now has clickable links.
Sections with todo tags now again have warning icons.
Fixed a bug that would prevent the schedule from loading.
When creating a new finding, the "Found At" field is now correctly prefilled with the current time in the user's timezone.
Importing an assessment template with incomplete translations no longer causes an error.
Fixed a bug that caused the checklist template names not to appear in the assessment template form.
Fixed a bug that caused the assessment template edit page to sometimes not render properly.
Fixed some issues with finding template suggestions and linked findings.
Fixed a bug where some finding fields were missing from the API docs and Zapier integration
Made downloading findings as CSV a lot faster, preventing timeouts.
Fixed an issue where the reports table component would incorrectly show resolvers when used in markdown fields.
Tasks to revise an assessment section now complete when you request a new review.
Changing a reviewable from "Draft" to "Revision requested" now completes the task to complete the reviewable.