Releases

Assessment templates and editor

The assessment template editor has been completely redesigned. You can now configure the entire assessment template, including all its sections, in a single form. Sections can be reordered with drag-and-drop, properties can be modified on the spot, and translations can be added directly without leaving the page. All changes are saved at once, making it much easier to maintain templates.

Alongside the new editor, several new assessment templates have been added, and existing ones have been updated. To use them, click the 'Clone default template' button on the Assessment Templates page.

New assessment templates

The following templates are now available:

1. OWASP Top 10 for LLM Applications (2025)
2. OWASP Top 10 CI/CD Security Risks (2023)
3. OWASP Cloud-Native Application Security Top 10 (2022)
4. OWASP IoT Top 10 (2018)

Updated templates

The following templates have been updated:

1. Microsoft Cloud Security Benchmark (v1 → v2)
2. CWE SANS Top 25 (2022 → 2024)
3. OWASP Mobile Top 10 (2016 → 2024)
4. OWASP API Security Top 10 (2019 → 2023)

Syntax highlighting combined with mark tags

Syntax-highlighted code blocks now also support [mark] tag highlighting! Previously, [mark] highlighting only worked in plain code blocks without syntax highlighting. With this update, you can now combine the two, making it easy to call out specific parts of code, HTTP requests and responses, data snippets, and more, without sacrificing readability.

Python API wrapper updated

The Python API wrapper has been updated to include the latest endpoints, making integrations easier to set up and maintain. It is available on PyPI: https://pypi.org/project/securityreporter/. The full details can be found on GitHub: https://github.com/dongit-org/python-reporter.

Improvements

• The tagging feature in the Markdown editor can now be accessed directly from a toolbar button, making it easier to add tags without remembering shortcuts.
• The category name format in checklist tables is now customizable, just like the test case name format.
• The default PDF report filename now includes the client’s name for easier identification and organization.
• The checklist depth limit has been increased to 5, allowing more levels of nesting in checklist templates.
• Findings from previous assessments can now also be imported into the current one via the Add finding dialog.
• The order of severities in report components such as the "finding counts by severity" table, the "findings by severity" chart, and the "findings by severity and status" bar chart can now be reversed.

Bug fixes

• Fixed a bug in the checklist table, where expanding or collapsing one category would sometimes cause a different category to be expanded or collapsed.
• The checklist editor no longer occasionally incorrectly fails validation with a "test case code is duplicate" error message.
• In the PDF report's table of contents, dotted lines now appear after all sections, if that setting is enabled.
• In the online report's table of contents, sections no longer overlap.
• In the PDF report, all URLs now get the correct color.
• In the online report, when inline editing Markdown fields, the assessment language is now used to render the result, instead of the default language.
• When making a new assessment checklist, the IDs and codes now get correctly copied over from the template categories.
• Report generation no longer crashes when a finding has a multiselect custom field where the "Show as a badge" option is set to false, or where specific enums (such as Assessment Status) are used for the values.
• The "Download default SVG backgrounds" button that was removed from the theme editor is now added to the theme index page, under the "Theme" dropdown.
• When editing a task, the description text area now expands to fit its contents.
• If the user tries importing targets using an invalid CSV file, a validation error is now shown.
• The "findings by import status" and "checklist table" components can now also be previewed in the context of an assessment template.
• Report compilation no longer crashes on certain inline code fragments if the report language is not set to English.
• In the API, includes can now again be passed using the "array notation" (?include[]=assessment&include[]=user). Due to a bug, only "comma-separated notation" (?include=assessment,user) would be accepted.
• The "list custom fields" endpoint in the API now returns a paginated response, consistent with other "list" endpoints.
• Report pages can now again be included with themes through the API

Flexible report layout

You can now insert fully custom pages anywhere in your report theme, each with its own layout, structure, and styling. This makes it easy to include elements like a disclaimer, cover letter, or dedicated contact page, designed exactly the way you want. Previously, text boxes and backgrounds could only be added to the front, back, and content pages.

Page Features

A page (like the content page) is rendered as one unit, but may span multiple physical pages in the PDF report. Each page includes the following options:

• Visibility: Choose whether the page appears in the full report, the management report, or both.
• Custom fields: Display content from a client-specific or assessment-specific custom field.
• Backgrounds: Configure different backgrounds. These backgrounds can be overridden within an assessment.
• Text boxes: Add static content to the page. For multipage pages, text boxes can be shown on all pages or restricted to just the first or last.
• Margins: For content pages, you can now add extra top margin to the first physical page to make room for a text box that only appears there, such as a letterhead.

Highlighted HTTP requests and responses

Syntax highlighting for HTTP requests and responses has been added to code blocks. The body is highlighted based on the Content-Type header, making it easier to read and review. Naturally, this is also perfectly rendered in the reports.

👉 Also keep an eye out for the next release, we'll be adding support for working mark tags in syntax-highlighted blocks!

Improvements

• Added 'Create Retest' buttons to the top of the finding page and retest requests for improved usability and clarity.
• If you can't edit the status or severity of a finding due to a pending retest, a link is now shown to edit or create the retest.
• You can now disable the priority and/or complexity columns in the 'Action Plan Table' component.
• Moved the 'Table Styles' option from 'Templates' to 'Settings' in the main menu.
• Removed unnecessary tooltips from the markdown editor.

Bug Fixes

• Fixed a crash when creating findings due to duplicate IDs.
• Fixed strange behavior when opening and closing checklist categories.
• Fixed a bug in the findings table component where it displayed dummy targets instead of the assessment's targets.
• Finding numbers now properly have leading zeroes in the findings table and action plan table components.
• URLs in code captions now correctly open in a new tab.
• Fixed a bug where the visibility settings of a section could be incorrect.
• Fixed filtering models by tag.
• Fixed certain modals not closing with the escape key.
• Fixed a crash in the assessment template edit page when using the "show if has findings" visibility option.
• H1 headers from markdown fields no longer have extra space above when they appear at the top of the page in the PDF report.
• The margin below figure captions is now consistent with other captions in the PDF report.
• Formatting shortcuts now work inside code block captions.
• Floating edit buttons no longer hide behind callout blocks.
• Fixed bug that caused suggestions to not load in the add finding modal.
• Wide tables now always render full width the the HTML report.
  • You can force a table to be full-width by adding a large number of spaces to one of the cells. You can then control the relative size of the columns by changing the number of dashes in each row in the second line of the table.
• Fixed simultaneous edit functionality for assessment custom fields
• Limited report components are now available in finding templates and several other markdown fields outside of the assessment context.
• The test cases field is no longer shown in the finding edit page when there are no test cases in the assessment.
• Fixed an issue where the wrong names were shown in the non-PDF version of the 'Started On' component.
• Fixed table of contents links to unnumbered sections in the PDF report.

API changes

Breaking change! - Likelihood of Impact: Very Low

The clonedTo and clonedFrom includes for findings have been renamed to importedTo and importedFrom. The events in the timeline relating to importing have been renamed from FindingCloneEvent to FindingImportEvent, and they now only appear on the original finding.

Checklists for Complete and Auditable Security Assessments

Checklists are now available, helping teams deliver more reliable, complete, and auditable security assessments. You can use any checklist you need, choosing from predefined industry standards or creating your own to match your methodology, ensuring every test case is thoroughly tested and documented.

Highlights

• Start with the included templates, with more coming in future updates.
• Use only the checklist levels you need, such as Level 1 and Level 2 from OWASP ASVS, while excluding Level 3.
• Create custom templates to match internal testing methodologies.
• Attach checklists to assessment templates so new assessments include the right checklists automatically.
• Include checklist results directly in your reports with the new Checklist Table component, featuring flexible display options and full customization via 'Report Theme' settings.
• Assign test cases to researchers and track progress in real time.
• Access checklists and test cases instantly from the researcher panel.
• Attach findings and comments to individual test cases as proof.

Getting Started

1. Add a checklist to an assessment on the main assessment page using the 'Assessment Settings' dropdown (the button with the wrench icon).
2. Access the added checklist either via the researcher panel or the 'Checklist' tab.
3. Start testing! Each test case begins as Not Tested. Researchers can mark cases as Not Applicable, Passed, or Failed, and attach supporting evidence.
4. For more details on configuring and using checklists, see the documentation.

Component Preview

When adding components like dynamic tables to markdown fields, you will now see a live preview with the selected options. This means you no longer need to reference the documentation to figure out what each component or option does.

For assessments, previews are generated using data from that assessment. For assessment templates, dummy data is used instead.

Other Improvements

• Activity is now logged when a user views an assessment or finding. In the API, every finding or assessment object that is returned is also logged, regardless of which route is used.
• When importing a finding from a previous assessment, the finding no longer has a separate created event and import event.
• You can now set assessment sections to appear in reports only if the section itself or one of its children has findings.
• Added new target types 'Gameplay', 'Smart contract', 'Web3 application', 'Source code' and 'Network'.
• Added includes for allComments and allEvents to findings in the API. This gets all comments or timeline events, including replies.
• 'Finding status changed'-notifications are no longer sent to researchers.
• Researchers are no longer notified about retest requests being cancelled if they do not have permission to create retests.
• Assessments with the 'Retest Requested' status are now considered locked (similar to 'On Hold' and 'Completed' assessments), preventing researchers from making changes.
• You can now use the keyboard to interact with dropdowns in the markdown editor toolbar.
• The markdown editor toolbar is now always visible when editing a large markdown field.
• You can now assign users to assessments as 'Lead Researcher'. Marking a researcher as lead can help establish clear accountability within the team. This role may involve coordinating technical work, supporting other researchers, and helping ensure findings are consistent and well-organized. Responsibilities can vary based on your team's workflow.
• Added documentation for which media file types can be uploaded. You can find the list in 'Documentation > General > Usage > Markdown Editor'.
• File upload support has been extended:
  • Additional image and video formats are supported.
  • You can now upload a variety of audio files.
  • .7z and .tar.gz archives are now supported.
  • Any unsupported file type can still be uploaded by first compressing it into a .zip, .7z, or .tar.gz archive.
  • The related documentation has been improved.
• New options for finding numbers and short ID:
  • You can display the finding number (e.g., 001) in the title of each finding in reports. You can find this setting in the Miscellaneous tab of the Report Theme settings.
  • The following options can be set on the assessment edit page, with defaults in 'Settings > General > Assessment Defaults' for new assessments:
    • You can now configure if the assessment short ID is included in finding short IDs. So the ID could be 'MyAssessmentShortId-001' or simply '001'.
    • You can now configure the minimum number of digits for finding ID numbers. So it could be '1', '001' or even '000001'. 

Bug Fixes

• Fixed an issue where importing a finding from a previous assessment and changing its status or severity while in draft would trigger timeline events and notifications. These should only occur if the finding has been published.
• Fixed an issue where imported findings retained the created_at timestamp from the original finding.
• Fixed a bug where a file upload dialog would sometimes open when selecting text in a markdown editor.
• Fixed an inconsistency in the markdown editor where an attachment’s extension sometimes differed from the one inserted into the markdown field.
• Fixed missing example requests and responses in the API documentation.
• Fixed an issue where deleting a retest request could leave findings stuck in 'Retest Pending' with no way to update the status.
• Cancelling or deleting a retest request now always sets the finding back to the status it was before the request, instead of always setting 'Unresolved'.
• Fixed a bug where sections could appear in the wrong order in some tables.
• Fixed image scaling issues in the online report.
• Fixed incorrect fonts and sizes being applied to some fields in the online report.
• Fixed an issue where the preview of large images in the markdown editor prevented editing the caption.
• The LinkedIn field for users can now only contain links to LinkedIn.
• Fixed a bug where deleting a custom field would cause a '405 Method Not Allowed' error.
• Fixed a bug on the schedule page where the 'Save changes' button did nothing when editing an assessment phase.
• Fixed a bug in the markdown editor where the focus would remain on the markdown editor when opening the snippet dialog.
• Fixed an issue that could prevent the 'General Settings' form from saving when certain results table options were selected.

Researcher panel improvements

Researcher activity indicators

User icons are now displayed in the researcher panel, showing who is currently working on which finding and whether they have an active edit lock.

Visibility options

Added controls to fine-tune the information shown in the researcher panel.

Roles-based filtering

You can now filter findings and sections by role (Researcher, Reviewer, Manager). When filtering, only items requiring action for the selected role are shown. Section tooltips are updated accordingly.

Highlighting text matches

When filtering findings or sections, matching text is now highlighted matches easier to spot.

Improved UI and animations

Improved the alignment of the 'Complete Review' button in the header and added smoother interface animations.

Image scaling support

You can now scale images in reports using syntax like: ![caption](href){scale=50}. The scale value must be a percentage between 25 and 100.

Business-day deadline offsets for tasks

Tasks now support deadlines based on business-day offsets. Instead of choosing a fixed date, you can define how many working days before or after a reference point the deadline should fall.

Bar chart option for 'findings by severity' chart

Added a new bar chart option to the 'Findings by Severity visualization. Also fixed: 

• A discrepancy in how remediation days were counted

• A missing section filter when selecting a specific severity

Consistent audit score terminology

Assessments using the audit scoring system now consistently display the correct severity names defined by that system, instead of the default 'Critical', 'High', 'Medium', 'Low', and 'Info' labels. Some examples:

Other Improvements

• The finding status 'Partially Resolved' can now be set independently of resolved targets.
• Active sessions are now invalidated when a user changes their password.
• Removed auto assignments for answering assessment section comments.
• Associated tags are displayed in the snippet modal.
• Inline components can now be used in captions.
• Table-style colors are now case-insensitive.

Bug Fixes

• Fixed an issue where the tool filter on the Tool Import page did not respond to typed input.
• Tools in the Tool Import dropdown are now sorted alphabetically.
• Added an error message when a user attempts to upload an invalid file type.
• Fixed a bug that allowed you to upload a .ttf file under Add font-family in Report Fonts.
• Fixed a bug that prevented a user from searching by tag.
• Corrected link colors in the HTML report for the Findings, Action Plan, and Results tables.
• Toast notifications now appear correctly when uploading output files.
• Fixed incorrect section highlighting in the Table of Contents side panel in the online report.
• Resolved an issue that could break the researcher panel when creating a finding from a template.
• Fixed occasional failures in PDF report generation when using non-Latin scripts.
• Fixed a bug where forms related to assessments remained locked after a user finished editing.

New Scoring System: PASSI

We’ve added support for the PASSI scoring system, developed by the French national cybersecurity agency ANSSI. This system uses a 4-point 'Impact' scale and a 4-point 'Ease of Exploitation' scale to determine the severity of findings, similar in approach to the OWASP Risk Rating Methodology.

Alongside this, we’ve introduced:

• A new risk assessment table component for your reports.
• A reusable scoring system description snippet to explain PASSI in your assessments.

Colored tables

You can now create tables in Markdown with custom background and text colors. Define styling rules based on row and column numbers by going to Templates > Table Styles. Once set up, users can easily apply these table styles when adding tables in the Markdown editor.

Highlights:

• When making your table styles, you can use many of Reporter’s named colors (like critical severity) that automatically follow the report’s theme.
• We have added two new colors: light table stripe and dark table stripe. You can customize them in your themes and use striped tables for readability.
• You can also use custom colors that are independent of the theme.
• We have added a 'Table style manager' role so you can control who can create and edit table styles.
• When you apply a table style in a Markdown field, all style data is saved into the Markdown itself. This means you can safely delete unused table styles later without affecting existing reports.

Renumbering Findings

Findings in Reporter have a number that is unique and used as part of their short ID. Those numbers are assigned sequentially, and any deleted findings can cause gaps in the numbering. Since short IDs are used in client communication, we don't want to renumber findings automatically. But we recognize that many of you don't want gaps in the finding numbering and that you want to number them based on the order they appear in the report.

With all that in mind, we have added a feature to let you renumber the findings in an assessment. When you do, the findings are renumbered at that moment, but any new findings are added with the next available number. This ensures that finding numbers stay consistent unless you decide you want to change them. You can access this functionality from the assessment dropdown on the main assessment page:

Findings can be reordered based on:

• Oldest finding first
• Report order (by section, then severity)
• Highest severity first

For more details, check out the documentation.

Improvements

• You can now tag targets in markdown fields using $, similar to sections, users, and findings.
• Client custom fields can now be added to the report using placeholders and a theme's text boxes.
• Custom fields of the type ‘File’, created for assessments or clients, can now be rendered as images inside text boxes in your report themes. For example, this allows you to easily display the client’s logo on the cover page of your assessment reports.
• You can now customize the front page and back page backgrounds for each assessment individually, directly from the assessment edit page.
• The CWE classifications have been updated.
• Added an environment variable called WEBHOOK_SSRF_HOST_WHITELIST to whitelist hosts for webhooks that can bypass SSRF header checks. This should be used for webhooks to external services like Slack where you can not control response headers. See Documentation > General > Settings > Webhooks for details.
• You can now upload multiple tool output files in a single request, making it faster and easier to import results.
• Added more details about account managers, including how they can be selected and linked under clients.
• Added documentation about finding statuses.
• Added instructions for using SFTP to connect to your storage for backups.

Bug Fixes

• Fixed a bug where reactions showed the wrong emojis. Unfortunately, the bug caused the incorrect emojis to be saved in the database, so reactions to timeline events may now show different emojis than they did before.
• Fixed a bug where the targets tab on the assessments page for completed or on-hold assessments was only visible to admins.
• Fixed a bug where findings did not appear in the CSV export if they had no targets.
• Fixed an exception when exporting findings to CSV if there were no findings to export.
• Fixed an exception when using webhooks targeting an IP address.