Releases

Flexible report layout

You can now insert fully custom pages anywhere in your report theme, each with its own layout, structure, and styling. This makes it easy to include elements like a disclaimer, cover letter, or dedicated contact page, designed exactly the way you want. Previously, text boxes and backgrounds could only be added to the front, back, and content pages.

Page Features

A page (like the content page) is rendered as one unit, but may span multiple physical pages in the PDF report. Each page includes the following options:

• Visibility: Choose whether the page appears in the full report, the management report, or both.
• Custom fields: Display content from a client-specific or assessment-specific custom field.
• Backgrounds: Configure different backgrounds. These backgrounds can be overridden within an assessment.
• Text boxes: Add static content to the page. For multipage pages, text boxes can be shown on all pages or restricted to just the first or last.
• Margins: For content pages, you can now add extra top margin to the first physical page to make room for a text box that only appears there, such as a letterhead.

Highlighted HTTP requests and responses

Syntax highlighting for HTTP requests and responses has been added to code blocks. The body is highlighted based on the Content-Type header, making it easier to read and review. Naturally, this is also perfectly rendered in the reports.

👉 Also keep an eye out for the next release, we'll be adding support for working mark tags in syntax-highlighted blocks!

Improvements

• Added 'Create Retest' buttons to the top of the finding page and retest requests for improved usability and clarity.
• If you can't edit the status or severity of a finding due to a pending retest, a link is now shown to edit or create the retest.
• You can now disable the priority and/or complexity columns in the 'Action Plan Table' component.
• Moved the 'Table Styles' option from 'Templates' to 'Settings' in the main menu.
• Removed unnecessary tooltips from the markdown editor.

Bug Fixes

• Fixed a crash when creating findings due to duplicate IDs.
• Fixed strange behavior when opening and closing checklist categories.
• Fixed a bug in the findings table component where it displayed dummy targets instead of the assessment's targets.
• Finding numbers now properly have leading zeroes in the findings table and action plan table components.
• URLs in code captions now correctly open in a new tab.
• Fixed a bug where the visibility settings of a section could be incorrect.
• Fixed filtering models by tag.
• Fixed certain modals not closing with the escape key.
• Fixed a crash in the assessment template edit page when using the "show if has findings" visibility option.
• H1 headers from markdown fields no longer have extra space above when they appear at the top of the page in the PDF report.
• The margin below figure captions is now consistent with other captions in the PDF report.
• Formatting shortcuts now work inside code block captions.
• Floating edit buttons no longer hide behind callout blocks.
• Fixed bug that caused suggestions to not load in the add finding modal.
• Wide tables now always render full width the the HTML report.
  • You can force a table to be full-width by adding a large number of spaces to one of the cells. You can then control the relative size of the columns by changing the number of dashes in each row in the second line of the table.
• Fixed simultaneous edit functionality for assessment custom fields
• Limited report components are now available in finding templates and several other markdown fields outside of the assessment context.
• The test cases field is no longer shown in the finding edit page when there are no test cases in the assessment.
• Fixed an issue where the wrong names were shown in the non-PDF version of the 'Started On' component.
• Fixed table of contents links to unnumbered sections in the PDF report.

API changes

Breaking change! - Likelihood of Impact: Very Low

The clonedTo and clonedFrom includes for findings have been renamed to importedTo and importedFrom. The events in the timeline relating to importing have been renamed from FindingCloneEvent to FindingImportEvent, and they now only appear on the original finding.

Checklists for Complete and Auditable Security Assessments

Checklists are now available, helping teams deliver more reliable, complete, and auditable security assessments. You can use any checklist you need, choosing from predefined industry standards or creating your own to match your methodology, ensuring every test case is thoroughly tested and documented.

Highlights

• Start with the included templates, with more coming in future updates.
• Use only the checklist levels you need, such as Level 1 and Level 2 from OWASP ASVS, while excluding Level 3.
• Create custom templates to match internal testing methodologies.
• Attach checklists to assessment templates so new assessments include the right checklists automatically.
• Include checklist results directly in your reports with the new Checklist Table component, featuring flexible display options and full customization via 'Report Theme' settings.
• Assign test cases to researchers and track progress in real time.
• Access checklists and test cases instantly from the researcher panel.
• Attach findings and comments to individual test cases as proof.

Getting Started

1. Add a checklist to an assessment on the main assessment page using the 'Assessment Settings' dropdown (the button with the wrench icon).
2. Access the added checklist either via the researcher panel or the 'Checklist' tab.
3. Start testing! Each test case begins as Not Tested. Researchers can mark cases as Not Applicable, Passed, or Failed, and attach supporting evidence.
4. For more details on configuring and using checklists, see the documentation.

Component Preview

When adding components like dynamic tables to markdown fields, you will now see a live preview with the selected options. This means you no longer need to reference the documentation to figure out what each component or option does.

For assessments, previews are generated using data from that assessment. For assessment templates, dummy data is used instead.

Other Improvements

• Activity is now logged when a user views an assessment or finding. In the API, every finding or assessment object that is returned is also logged, regardless of which route is used.
• When importing a finding from a previous assessment, the finding no longer has a separate created event and import event.
• You can now set assessment sections to appear in reports only if the section itself or one of its children has findings.
• Added new target types 'Gameplay', 'Smart contract', 'Web3 application', 'Source code' and 'Network'.
• Added includes for allComments and allEvents to findings in the API. This gets all comments or timeline events, including replies.
• 'Finding status changed'-notifications are no longer sent to researchers.
• Researchers are no longer notified about retest requests being cancelled if they do not have permission to create retests.
• Assessments with the 'Retest Requested' status are now considered locked (similar to 'On Hold' and 'Completed' assessments), preventing researchers from making changes.
• You can now use the keyboard to interact with dropdowns in the markdown editor toolbar.
• The markdown editor toolbar is now always visible when editing a large markdown field.
• You can now assign users to assessments as 'Lead Researcher'. Marking a researcher as lead can help establish clear accountability within the team. This role may involve coordinating technical work, supporting other researchers, and helping ensure findings are consistent and well-organized. Responsibilities can vary based on your team's workflow.
• Added documentation for which media file types can be uploaded. You can find the list in 'Documentation > General > Usage > Markdown Editor'.
• File upload support has been extended:
  • Additional image and video formats are supported.
  • You can now upload a variety of audio files.
  • .7z and .tar.gz archives are now supported.
  • Any unsupported file type can still be uploaded by first compressing it into a .zip, .7z, or .tar.gz archive.
  • The related documentation has been improved.
• New options for finding numbers and short ID:
  • You can display the finding number (e.g., 001) in the title of each finding in reports. You can find this setting in the Miscellaneous tab of the Report Theme settings.
  • The following options can be set on the assessment edit page, with defaults in 'Settings > General > Assessment Defaults' for new assessments:
    • You can now configure if the assessment short ID is included in finding short IDs. So the ID could be 'MyAssessmentShortId-001' or simply '001'.
    • You can now configure the minimum number of digits for finding ID numbers. So it could be '1', '001' or even '000001'. 

Bug Fixes

• Fixed an issue where importing a finding from a previous assessment and changing its status or severity while in draft would trigger timeline events and notifications. These should only occur if the finding has been published.
• Fixed an issue where imported findings retained the created_at timestamp from the original finding.
• Fixed a bug where a file upload dialog would sometimes open when selecting text in a markdown editor.
• Fixed an inconsistency in the markdown editor where an attachment’s extension sometimes differed from the one inserted into the markdown field.
• Fixed missing example requests and responses in the API documentation.
• Fixed an issue where deleting a retest request could leave findings stuck in 'Retest Pending' with no way to update the status.
• Cancelling or deleting a retest request now always sets the finding back to the status it was before the request, instead of always setting 'Unresolved'.
• Fixed a bug where sections could appear in the wrong order in some tables.
• Fixed image scaling issues in the online report.
• Fixed incorrect fonts and sizes being applied to some fields in the online report.
• Fixed an issue where the preview of large images in the markdown editor prevented editing the caption.
• The LinkedIn field for users can now only contain links to LinkedIn.
• Fixed a bug where deleting a custom field would cause a '405 Method Not Allowed' error.
• Fixed a bug on the schedule page where the 'Save changes' button did nothing when editing an assessment phase.
• Fixed a bug in the markdown editor where the focus would remain on the markdown editor when opening the snippet dialog.
• Fixed an issue that could prevent the 'General Settings' form from saving when certain results table options were selected.

Researcher panel improvements

Researcher activity indicators

User icons are now displayed in the researcher panel, showing who is currently working on which finding and whether they have an active edit lock.

Visibility options

Added controls to fine-tune the information shown in the researcher panel.

Roles-based filtering

You can now filter findings and sections by role (Researcher, Reviewer, Manager). When filtering, only items requiring action for the selected role are shown. Section tooltips are updated accordingly.

Highlighting text matches

When filtering findings or sections, matching text is now highlighted matches easier to spot.

Improved UI and animations

Improved the alignment of the 'Complete Review' button in the header and added smoother interface animations.

Image scaling support

You can now scale images in reports using syntax like: ![caption](href){scale=50}. The scale value must be a percentage between 25 and 100.

Business-day deadline offsets for tasks

Tasks now support deadlines based on business-day offsets. Instead of choosing a fixed date, you can define how many working days before or after a reference point the deadline should fall.

Bar chart option for 'findings by severity' chart

Added a new bar chart option to the 'Findings by Severity visualization. Also fixed: 

• A discrepancy in how remediation days were counted

• A missing section filter when selecting a specific severity

Consistent audit score terminology

Assessments using the audit scoring system now consistently display the correct severity names defined by that system, instead of the default 'Critical', 'High', 'Medium', 'Low', and 'Info' labels. Some examples:

Other Improvements

• The finding status 'Partially Resolved' can now be set independently of resolved targets.
• Active sessions are now invalidated when a user changes their password.
• Removed auto assignments for answering assessment section comments.
• Associated tags are displayed in the snippet modal.
• Inline components can now be used in captions.
• Table-style colors are now case-insensitive.

Bug Fixes

• Fixed an issue where the tool filter on the Tool Import page did not respond to typed input.
• Tools in the Tool Import dropdown are now sorted alphabetically.
• Added an error message when a user attempts to upload an invalid file type.
• Fixed a bug that allowed you to upload a .ttf file under Add font-family in Report Fonts.
• Fixed a bug that prevented a user from searching by tag.
• Corrected link colors in the HTML report for the Findings, Action Plan, and Results tables.
• Toast notifications now appear correctly when uploading output files.
• Fixed incorrect section highlighting in the Table of Contents side panel in the online report.
• Resolved an issue that could break the researcher panel when creating a finding from a template.
• Fixed occasional failures in PDF report generation when using non-Latin scripts.
• Fixed a bug where forms related to assessments remained locked after a user finished editing.

New Scoring System: PASSI

We’ve added support for the PASSI scoring system, developed by the French national cybersecurity agency ANSSI. This system uses a 4-point 'Impact' scale and a 4-point 'Ease of Exploitation' scale to determine the severity of findings, similar in approach to the OWASP Risk Rating Methodology.

Alongside this, we’ve introduced:

• A new risk assessment table component for your reports.
• A reusable scoring system description snippet to explain PASSI in your assessments.

Colored tables

You can now create tables in Markdown with custom background and text colors. Define styling rules based on row and column numbers by going to Templates > Table Styles. Once set up, users can easily apply these table styles when adding tables in the Markdown editor.

Highlights:

• When making your table styles, you can use many of Reporter’s named colors (like critical severity) that automatically follow the report’s theme.
• We have added two new colors: light table stripe and dark table stripe. You can customize them in your themes and use striped tables for readability.
• You can also use custom colors that are independent of the theme.
• We have added a 'Table style manager' role so you can control who can create and edit table styles.
• When you apply a table style in a Markdown field, all style data is saved into the Markdown itself. This means you can safely delete unused table styles later without affecting existing reports.

Renumbering Findings

Findings in Reporter have a number that is unique and used as part of their short ID. Those numbers are assigned sequentially, and any deleted findings can cause gaps in the numbering. Since short IDs are used in client communication, we don't want to renumber findings automatically. But we recognize that many of you don't want gaps in the finding numbering and that you want to number them based on the order they appear in the report.

With all that in mind, we have added a feature to let you renumber the findings in an assessment. When you do, the findings are renumbered at that moment, but any new findings are added with the next available number. This ensures that finding numbers stay consistent unless you decide you want to change them. You can access this functionality from the assessment dropdown on the main assessment page:

Findings can be reordered based on:

• Oldest finding first
• Report order (by section, then severity)
• Highest severity first

For more details, check out the documentation.

Improvements

• You can now tag targets in markdown fields using $, similar to sections, users, and findings.
• Client custom fields can now be added to the report using placeholders and a theme's text boxes.
• Custom fields of the type ‘File’, created for assessments or clients, can now be rendered as images inside text boxes in your report themes. For example, this allows you to easily display the client’s logo on the cover page of your assessment reports.
• You can now customize the front page and back page backgrounds for each assessment individually, directly from the assessment edit page.
• The CWE classifications have been updated.
• Added an environment variable called WEBHOOK_SSRF_HOST_WHITELIST to whitelist hosts for webhooks that can bypass SSRF header checks. This should be used for webhooks to external services like Slack where you can not control response headers. See Documentation > General > Settings > Webhooks for details.
• You can now upload multiple tool output files in a single request, making it faster and easier to import results.
• Added more details about account managers, including how they can be selected and linked under clients.
• Added documentation about finding statuses.
• Added instructions for using SFTP to connect to your storage for backups.

Bug Fixes

• Fixed a bug where reactions showed the wrong emojis. Unfortunately, the bug caused the incorrect emojis to be saved in the database, so reactions to timeline events may now show different emojis than they did before.
• Fixed a bug where the targets tab on the assessments page for completed or on-hold assessments was only visible to admins.
• Fixed a bug where findings did not appear in the CSV export if they had no targets.
• Fixed an exception when exporting findings to CSV if there were no findings to export.
• Fixed an exception when using webhooks targeting an IP address.

New Finding Statuses

Two new statuses have been added to findings: Partially Resolved and Unable to Verify. These are available alongside the existing statuses: Unresolved, Resolved, Retest Pending, and Accepted Risk.

Partially Resolved indicates that a finding has been resolved for some targets, but not all. When changing a finding's status to either Unresolved or Partially Resolved, Reporter will automatically determine the correct status based on which targets have been marked as resolved.

Unable to Verify is a manual status, similar to Accepted Risk. It is intended for findings that cannot be retested—for example, when another related finding has already been resolved, making verification of this one no longer possible.

We have also made the ordering of finding statuses more consistent throughout the application.

It is no longer possible to delete targets that have associated findings, because doing so would cause unintuitive changes to the findings' status.

Components per Section

The following report components can now be limited to findings within a specific section of the report:

• Action plan table
• Audit table *
• Finding counts by severity
• Findings by severity and status bar chart
• Findings severity chart
• Findings table
• Results table (including management results table) *

For components marked with an *, only top-level sections can be chosen. By selecting a section, only findings in that section and any of its subsections will be shown or counted in the component. The captions have been updated to include the name of the selected section.

You can choose a section when adding a new instance of a component in the markdown editor, or when adding the components to assessment templates.

CVE Auto-link

When you add a CVE identifier—such as CVE-2024-20439—in a markdown field, it now automatically becomes a clickable link to a CVE database. For example, CVE-2024-20439 will link to: https://nvd.nist.gov/vuln/detail/CVE-2024-20439

By default, links point to nvd.nist.gov, but admins can configure them to use mitre.org, cvedetails.com, or a custom URL. Auto-linking can also be disabled entirely.

These settings can be adjusted under Settings > General > Functionality.

More Code Box Highlighting Options

New [mark] styles have been added to the Markdown editor, allowing you to highlight specific lines or elements within code blocks more clearly.

Other Improvements

• Added separate permissions for adding, editing, removing, and reordering assessment sections. This will provide you with more granular control over custom assessment roles.
• You can now use the !-tag to highlight sections in assessment templates.
• Added new placeholder options for dates from the latest retest phase, or from the most recent phase (whether research or retest).
• Notifications about draft reports now trigger a direct download of the report, instead of redirecting to the assessment page.
• It's now possible to disable the dotted lines in the report's table of contents via the theme editor settings.
• You can now customize the bullet style of bulleted lists in the theme editor.

Bug Fixes

• Fixed an error that occurred when attempting to approve and/or publish an assessment section from the review page.
• Fixed an issue that caused certain API routes to respond slowly.
• Fixed a bug that prevented you from adding MIME type rules to file custom fields.
• Fixed a rare issue where an assessment with a retest status (such as Retest Active), but no retest phase, was sorted in the wrong place.
• Fixed an issue where the task count in the researcher panel was not always updated correctly.