Releases

Breaking change! - This release contains API breaking changes. Please read the following release notes before upgrading.

Global Announcements

Admins can now send announcements to users through in-app notifications, email, or both. Recipients can be targeted in several ways:

• You can send announcements to Clients, Researchers (including admins), or both.
  • When your selection includes clients, you can pick which client companies to notify.
• You can send announcements to users who are currently logged in, users who were active since a given timestamp, or all users.
• You can send announcements using in-app notifications, email, or both.
• You can set announcements to expire after a certain time (in-app only).

You can access this feature in Settings > Make Announcement, from the API (see the API documentation) or from the command line (useful for system administrators without Reporter accounts to announce downtime, for example).

Single Sign-On: SAML2 IdP-initiated SSO

Reporter now supports SAML2 Identity Provider-initiated SSO in addition to the existing Service Provider-initiated flow. If enabled, users can launch Reporter directly from their identity provider's dashboard (e.g. Azure AD, Okta, Google Workspace) without first navigating to the Reporter login page. 

Enabling IdP-initiated SSO comes with security risks. See Documentation > General > Deployment > Configuration > Authentication > Methods > SAML2 Single Sign-On for more details.

Manage API tokens through the API

Listing, inspecting, creating, and deleting API tokens can now be done through the API itself, plus a new GET /api/v1/api-tokens/me endpoint lets a token look up its own details without any special abilities. Admins can also create tokens on behalf of other users. 

Together with the scoped API tokens introduced in the previous release, this makes it much easier to automate tasks like provisioning dashboards or per-client integrations: a script can mint a short-lived token scoped to a single client or assessment on demand, rather than relying on a single, broadly permissioned token stored in a configuration file.

Horizontal rules

Added support for horizontal rules in markdown fields. The rule can be customized in color and width in Settings > Report Themes.

API breaking changes

Breaking change! - This release contains fixes and improvements to the API related to working with translatable models, such as finding and assessment templates. Some broken filters were removed and inconsistencies between list and search routes have been reduced. If you are using language functionality in your API scripts, you may be affected by the following breaking changes.

For all translatable models (finding template, assessment template, assessment section template, custom field, theme, and report page), the list routes (GET /{name of model}) have the following changes:

• Filtering by language now only narrows the result set; it no longer translates the results. The translating behavior was previously advertised in the docs but only ever worked on finding templates.
• filter[language_id] has been renamed to filter[language_ids], and a new filter[and_language_ids] is available for matching records translated into multiple given languages.
• To translate results, pass ?language_id= or ?prefer_language= as a query parameter (unchanged).

Scripts using the /finding-templates/search route are also affected:

• Filter parameters have moved under filter[...] to match list routes. For example, the filter query parameter ?source= was changed to ?filter[source]=.
• ?language_id= no longer narrows the result set. To narrow to templates that have a translation in a given language, use ?filter[language_ids]= (or ?filter[and_language_ids]= to require translations in multiple languages). ?language_id= continues to select which translation fields are searched and used for rendering.
• Scripts that previously relied on ?language_id= for ranking-boost (templates with a translation in that language ranked higher) should pass ?prefer_language= as well to keep that behavior.

Improvements

• Researchers can now see the available assessment templates and their contents
• Keyboard shortcuts for mark tags and callouts now select the first option in the list
• Analytics, findings, and assessments can now be filtered by client tags and assessment tags
• Updated the parsers for tool findings and added 9 new parsers
• Parsers now import tags for tool findings and tool findings can be filtered by tag

Bug Fixes

• Fixed a bug that caused password setup links to be valid for 72 minutes instead of 72 hours.
• Fixed an issue sending emails about changes to remediation status.
• Fixed an error when you unpublish and then republish a finding with at least one resolved target.
• Unpublished findings now always show up in the results table and checklist table components in draft PDF reports.
• Fixed a display issue in the results table caused by missing findings.
• Tasks to remove todo tags from findings now link to the finding.
• Fixed an issue where draft report compilation would crash with unpublished retests.
• Files uploaded through the MCP server now have a name.
• Fixed a bug where researchers could see (but not use) the "publish" toggle when editing a finding.
• Fixed a bug in the grouped email logic that would only cause older notifications to be sent even if newer ones existed.

Breaking and recommended changes - This release contains API breaking changes and recommended changes to the application settings. Please read the following release notes before upgrading.

Findings: "Resolvers" renamed to "Assignees"

"Resolvers" on findings have been renamed to "Assignees". This term better reflects their role as the users responsible for following up on a finding, and matches the convention used by tools like GitHub and GitLab.

API breaking change - Probability of impact: Low - Any scripts that set resolvers or set the restrict_findings_to_resolvers setting on assessments must be updated to set assignees or restrict_findings_to_users instead.

Recommended settings change - Previously, only client leads could set assignees for findings. We changed the default setting so that all clients can set assignees, which allows them to assign themselves to findings, which is much more convenient. To apply this new default setting in existing deployments, navigate to Settings > General > Functionality, and under Client users, set "Clients who can set assignees for findings" to "All Clients".

Findings: new "Remediation Status" field

Findings now have a Remediation Status. Clients can use this field to keep track of their progress in remediating the finding. The remediation status can have the following values:

A vulnerable finding is set to Open by default, and Retest Requested and Resolved can only be set automatically as part of the retest process.

When a user changes the remediation status they can optionally provide a reason. The change will appear in the finding's timeline like a comment or retest does.

Accepted Risk is now a remediation status. Clients can now set a finding as accepted risk themselves, instead of having to ask the researcher to do so through a retest. They must provide a reason, and that reason can be added to the report. "Show accepted risk with reason in reports" can be set per assessment with a global default. It is on by default, but it has been disabled for existing assessments.

Both the remediation status and assignees can now be set from the findings index page, and the Findings and Action Plan tabs on the main assessment page making it much easier to quickly assign client users to specific findings.

API breaking change - Probability of impact: Low - The Accepted Risk finding status (3) has been removed. API scripts that use the Accepted Risk finding status should be altered to use the Accepted Risk remediation status instead.

Recommended settings change - The default finding layout got changed so that the Assignees field is moved right above the Remediation status field, as those fields are closely related. We recommend admins of existing deployments to apply this change to each of their existing finding layouts by navigating to Settings > Finding Layouts and dragging the Assignees field (near the bottom in the old default) to be just above the Remediation status field (near the top).

Findings: new "Resolved" severity

The existing severity OK had two distinct meanings:

• We have tested it and it was configured correctly.
• We have tested it and it was vulnerable. We have retested it and it is now configured correctly.

In order to better cover the second meaning, this update introduces a new Resolved severity. Existing OK findings are updated to Resolved automatically if they match the second meaning and resolving a finding through a retest now sets Resolved instead of OK.

Restrict Findings to Users

The setting Restrict findings to resolvers has been renamed to Restrict findings to users and now has three options for managing access to findings for client users:

• All client users
• Client leads and assignees New
• Only assignees

This setting is useful if a pentest covers multiple separate applications that are maintained by different independent teams. With the new Client leads and assignees option, you can now assign a client lead who will have access to all published findings and the PDF reports. The client lead will be able to assign findings to their colleagues who will only be able to see those findings that are assigned to them, shifting that responsibility away from researchers to a manager on the client side.

You can also set a default for Restrict findings to users in Settings > General > Assessment Defaults that applies to new assessments.

Scoped API Tokens

You can now restrict new API tokens to specific assessments or clients. When creating a new API token, you can set the scope of the token to Clients or Assessments, and then select the clients/assessments that you want your token to have access to.

This is ideal for tailoring API access to a single client or assessment without exposing your entire account.

Scoped tokens can still access data that is not related to any specific assessment, such as users and finding templates.

New API endpoints for assessment templates and sections

This release adds new API endpoints for managing assessment templates, assessment template translations, section templates, and assessment sections. The new endpoints include support for:

• Store/Update/Destroy assessment templates
• Add/Destroy assessment template translations
• Index/Store/Show/Update/Destroy/Reorder assessment section templates
• Index/Store/Show/Update/Destroy/Reorder assessment sections

Refer to the updated API documentation for more information.

Finding template sources and Reporter templates

You can now manage which finding template sources are available in your workflow from General Settings. This gives administrators more control over which templates teams can use when documenting findings.

Reporter also includes a curated set of built-in finding templates designed to help you produce clear, consistent reports more efficiently. You can access the full list via the "Findings" button in the sidebar under "Templates". 

To view the newly built-in templates, go to Templates in the sidebar, select Findings, and apply the filter Source: Reporter.
 

Assessment index

We have introduced several changes to the way information is displayed in the index page for assessments, to improve the functionality of the page:

• Improve the Assessment index by adding a Start date column, and consolidating the Research Time and Total Research Time columns into a single one. Sorting this column sorts by base Research Time, which users can also see in a tooltip on the table header.
• Improve copying of relative date strings. Whenever text containing a dynamic date string is selected (e.g. "5 days ago"), the clipboard data replaces this dynamic date string with a static (absolute) date.
• Change relative date formatting to apply only to dates within 1 week before or after the current date.

Further improvements

• Added support for pasting tables from Excel directly into Markdown fields.
• Increased rendering performance for markdowns with extensive code blocks.
• Test case assignees are now always shown.
• Added a toggle for the "Compliant/Not compliant" severity metric in finding templates.
• Tags can now be created directly from select fields across the application.
• Updated several documentation pages.
• Added a "Regenerate PDF report" button to the translations page.
• Added an option to flip the severity and original severity columns in the findings table component.

Bug Fixes

• Deleting many assessments no longer causes Reporter to become inaccessible.
• Fixed a bug that prevented you from seeing who updated a test case.
• Fixed a bug where the back button would reload the page when switching between tabs.
• Fixed traffic light severity being rendered incorrectly in PDF and online reports.
• Fixed a bug where the Low + Low = Low setting wasn't applied in the PDF version of the OWASP risk assessment table.
• Fixed broken badges in "ISO 27001:2022 Annex A" template.
• Fixed a bug where 2FA remember cookies occasionally didn't work.
• Prevent overflow issues with long finding names.
• Fixed a 500 error that occurred when requesting a finding revision.
• Fixed a visual bug that caused card headers to get vertically misaligned.
• Fixed a bug that caused all scoring systems to be toggled when editing a finding template. 
• Fixed a bug where you couldn't remove all tags from clients or finding templates

Client-level access control

We have introduced several improvements to client-level access control, giving teams more flexibility and control when managing client access across assessments. You can now grant access to all current and future assessments, delegate client access management to designated client users, and define client user properties, such as whether a user is a client lead, across all assessments.

Client Managers

You can now designate client users as client managers for a specific client. Client managers are assigned from the main client page and automatically receive access to all assessments for that client, along with full control over teams and client user access within those assessments.

Teams

User groups have been renamed to teams. As before, teams can be created per client and assigned to assessments or to findings as resolvers.

You can now grant a team access to all future assessments for a client. These teams will automatically be assigned to every new assessment for that client.

Per-user properties are also now configurable at the team level: you can mark a user as a client lead, set their access to read-only, or specify an access expiry date. These properties serve as defaults that can be overridden at the assessment level, except for read-only status and access expiry, which act as upper bounds. Assessment-level settings cannot grant more access than the team-level defaults allow.

Account managers

Account managers can now optionally be assigned to all future assessments for a client, ensuring they automatically receive admin-level access to every new assessment, regardless of who created it.

Read-only client users

When adding a client user to an assessment, you can now grant them read-only access. They can view the assessment, findings, and reports, while actions such as commenting, requesting retests, and assigning users remain disabled. Read-only access is useful for auditors or higher-level managers who want to keep an eye on what's happening in the assessment.

Improvements

• Improved the performance throughout the application.
  Note: For best performance, we recommend configuring innodb_buffer_pool_size appropriately in my.cnf with a minimum of 512 MB. Please refer to the documentation for more information.
• Added CAPTCHAs to the password reset, password setup, and initial setup forms.
• Updated the order of the AI section on the general documentation page.
• Clients can now access assessment users through the API.

Bug fixes

• Fixed an issue that caused most MCP tools to return HTTP 400.
• Fixed an issue where inline code was not rendered correctly in figure captions.
• Fixed an issue where the remediation chart would not render when there were no findings for a given time period and severity.
• Fixed findings table status sorting to follow the configured display order. Unresolved findings now appear first, followed by partially resolved findings, with resolved findings listed last.
• Fixed automatic target matching when importing findings into an assessment that uses a different assessment template than the original assessment.
• Fixed an issue rendering side-by-side codeblocks in callouts.
• An "Are you sure?" popup no longer shows when you navigate away after successfully creating a finding.

MCP (Model Context Protocol) server

Reporter now ships with a built-in MCP server, allowing AI assistants to interact with your Reporter instance through natural conversation. 

Short screen recording showing the MCP server in action:

When creating an API token, Reporter also provides the MCP configuration JSON. Copy this to your AI client to give it access to more than 100 Reporter tools covering the full assessment lifecycle.

Works with popular AI assistants such as Claude and ChatGPT, self-hosted AI tools, and developer environments like Cursor or Visual Studio Code to assist in code reviews or white-box assessments, as well as any other MCP-compatible client.

This is the first step in a broader set of AI capabilities planned for upcoming releases.

Visibility controls for checklists

You can now fine-tune how checklists are made visible to client users. The following visibility options were added:

• Private: Hidden from clients and visible only to researchers.
• Unpublished: Hidden from clients while the assessment is in progress and automatically published upon completion. Optionally, checklist progress can be shown to clients without revealing detailed results (e.g., pass/fail status).

Joined code blocks

Added support for joined code blocks in Markdown.

Two types of joined code blocks are supported:

Vertically joined code blocks allow snippets with different syntax highlighting styles to be combined. This is useful when a single example contains multiple languages.

Horizontally joined (side-by-side) code blocks improve readability for request/response examples and other related snippets.

Improvements

• Added a new Compliant / Not Compliant scoring system.
• The 2025 version of the OWASP Top 10 is now available, both as an assessment template and a checklist template. On existing installations, admins or template managers can add these templates by going to the assessment template or checklist template page, and clicking the "Clone default template" button.
• Added an option to the Findings Table report component to display a column with the original severity of each finding.
• The Research Started On report component now allows selecting an end date different from the delivery date.
• Admins are now notified by email when a webhook fails. OAuth connection failures notify only the user who configured the connection.
• Checklists can now be reordered in assessments and assessment templates that contain multiple checklists.
• Admins can now cancel assessment deletion requests submitted by clients.

Bug fixes

• Image tags are now fully stripped when creating a template from a finding (including parameters such as {scale=100}).
• Fixed an issue where the Request revision button in the Summary tab of the assessment overview did not function correctly.
• Fixed a bug that caused an error to appear when deleting an assessment.
• Fixed a server error that occurred when resolving a finding without a severity.
• Fixed a 500 API error that occurred when updating custom fields without permission to update default fields.
• Restored missing tooltips for Markdown form element labels.
• Fixed an issue where certain characters caused section headers to terminate prematurely in PDF reports.
• Fixed an issue where some properties did not update when editing an assessment checklist.
• Fixed an error in the online report when a report page was missing a background.
• Fixed minor badge styling issues in reports.

n8n

The latest release of Security Reporter includes an integration with n8n, making it possible to add another layer of automation and customization on top of Security Reporter without having to write a single line of code! 

Follow the guide here to set up the Reporter integration in n8n. 

Our latest blog shows an example of how you can integrate Reporter with Jira using n8n.

Other Improvements

• In the finding layout, you can now configure conditions to show or hide fields based on assessment and client fields. The n8n blog post includes an example in which the Jira Issue field is displayed only when it is not empty.
• OWASP ASVS v5 has been added to the checklist templates. You can add it to the list of checklist templates by going to Templates > Checklist Templates, clicking Clone default template, and selecting OWASP Application Security Verification Standard v5.
• Admin users can now be assigned to test cases directly from the checklist table.
• Editor autocomplete has been improved. You can now use the Tab key to accept a suggestion, and [mask] has been added to the autocomplete options.
• Add 'Show details' tooltip to tool finding titles.
• Documentation for using custom CA certificates has been added.
• An option has been added to URL custom fields to control link behavior, either opening in a new tab or the current window. For existing custom fields, links now open in a new tab by default.
• The section status badge that appears in the assessment overview tab is now smaller.
• A button has been added to the top of a finding that scrolls to the latest retest when clicked:

Report compilation bug fixes

• Fix an issue where a link in a PDF that continues on the next page would make the whole page clickable.
• Fix an issue where rendering inline code inside a table would crash report compilation.
• Fix an issue where mark tags could highlight the wrong text when used in combination with Unicode characters.
• Fix an issue where inline code started a new paragraph.
• Fix a bug that caused the PDF index to contain duplicate entries.
• Fix several additional rare issues related to PDF compilation.

Other bug fixes

• Fix an issue where the 'Add Checklist' button was visible to users without checklist creation permissions.
• Fix a bug that caused targets to not appear in the targets list after adding them.
• Fix an issue where the checklist table always showed the pass rate in the PDF report, even if the option was turned off.
• Fix an issue where the pass rate text could not be translated.
• The deprecated 'X-XSS-Protection' header has been removed.
• Fix results when filtering assessments by 'Research phase completed at'.
• Fix a bug that caused custom field regex validation to fail when using a pipe operator.
• Boolean custom field changes in the theme editor are now saved.
• Fix a bug that caused theme exports to fail when the colors of a custom field had previously been modified in the theme settings.
• Fix a bug that made it impossible to change the 'password-protected PDF reports' setting from 'false' to 'true'.
• Fix a bug that caused the add snippet button to not work in the assessment template edit page.
• Fix a bug that caused the user page to throw an error if the logged-in user had no timezone.
• Fix a bug in pages with a resizable split pane (such as the finding layout edit page) that caused the divider to stick to the mouse.
• Fix a bug that sometimes caused a 500 Internal Server Error on the task page.
• Fix a bug that caused result icons to become misaligned in the checklist table.
• Fix a bug that caused the result of a test case to not get updated when the vulnerability state of a finding changed.