Releases

2025.04.03

New Finding Statuses

Two new statuses have been added to findings: Partially Resolved and Unable to Verify. These are available alongside the existing statuses: Unresolved, Resolved, Retest Pending, and Accepted Risk.

Partially Resolved indicates that a finding has been resolved for some targets, but not all. When changing a finding's status to either Unresolved or Partially Resolved, Reporter will automatically determine the correct status based on which targets have been marked as resolved.

Unable to Verify is a manual status, similar to Accepted Risk. It is intended for findings that cannot be retested—for example, when another related finding has already been resolved, making verification of this one no longer possible.

We have also made the ordering of finding statuses more consistent throughout the application.

It is no longer possible to delete targets that have associated findings, because doing so would cause unintuitive changes to the findings' status.

Components per Section

The following report components can now be limited to findings within a specific section of the report:

Action plan table
Audit table *
Finding counts by severity
Findings by severity and status bar chart
Findings severity chart
Findings table
Results table (including management results table) *

For components marked with an *, only top-level sections can be chosen. By selecting a section, only findings in that section and any of its subsections will be shown or counted in the component. The captions have been updated to include the name of the selected section.

You can choose a section when adding a new instance of a component in the markdown editor, or when adding the components to assessment templates.

CVE Auto-link

When you add a CVE identifier—such as CVE-2024-20439—in a markdown field, it now automatically becomes a clickable link to a CVE database. For example, CVE-2024-20439 will link to: https://nvd.nist.gov/vuln/detail/CVE-2024-20439

By default, links point to nvd.nist.gov, but admins can configure them to use mitre.org, cvedetails.com, or a custom URL. Auto-linking can also be disabled entirely.

These settings can be adjusted under Settings > General > Functionality.

More Code Box Highlighting Options

New [mark] styles have been added to the Markdown editor, allowing you to highlight specific lines or elements within code blocks more clearly.

Security Reporter code highlighting in code blocks

Other Improvements

Added separate permissions for adding, editing, removing, and reordering assessment sections. This will provide you with more granular control over custom assessment roles.
You can now use the !-tag to highlight sections in assessment templates.
Added new placeholder options for dates from the latest retest phase, or from the most recent phase (whether research or retest).
Notifications about draft reports now trigger a direct download of the report, instead of redirecting to the assessment page.
It's now possible to disable the dotted lines in the report's table of contents via the theme editor settings.
You can now customize the bullet style of bulleted lists in the theme editor.

Bug Fixes

Fixed an error that occurred when attempting to approve and/or publish an assessment section from the review page.
Fixed an issue that caused certain API routes to respond slowly.
Fixed a bug that prevented you from adding MIME type rules to file custom fields.
Fixed a rare issue where an assessment with a retest status (such as Retest Active), but no retest phase, was sorted in the wrong place.
Fixed an issue where the task count in the researcher panel was not always updated correctly.

2025.02.19

Download Show checksums

Tool Findings API enhancements & new webhooks

We've enhanced the API and webhooks to provide greater control and automation over findings and targets extracted from supported scanning tools like Burp and Nessus. With these new capabilities, you can:

Access & Manage Parsed Findings – Retrieve tool findings and targets, import them into assessments, and link them to existing findings or targets.
Mark Findings – Mark findings or targets as 'out-of-scope' or 'ignored'.
Automate Workflows – Use new webhooks to trigger actions when output file parsing is complete.
List Output Files – Retrieve and manage parsed tool output files via the API.

See the updated API documentation for full details.

Other improvements

Caution tags have been renamed to To-Do tags for clarity. All existing caution tags are automatically updated.
When requesting a review, approval, or publishing a finding with To-Do tags, you’ll now receive a warning.
An assessment’s research hours are displayed on the schedule page when assigning a phase.
The spacing around code, table, and figure captions is now more consistent.
You can now adjust the spacing between a code block, table, or figure and its caption.
Findings, users, and sections can be tagged immediately after an opening brace or parenthesis. For example, typing "in another finding (#finding:...)" will trigger the selection menu.
When importing findings from a previous assessment, references to findings or sections in the old assessment are automatically updated to their equivalents in the new assessment, whenever possible.

Bug Fixes

Resolved an issue where findings imported from a previous assessment were always published.
Fixed a bug where a published badge incorrectly appeared in retests in the PDF report.
Addressed an issue where findings moved to new sections in the researcher panel could still be found in the old section via search.
Fixed a bug where the 'Approve and publish' dropdown sometimes didn't appear.
Corrected an issue with empty multi-select custom fields.
Fixed a bug where videos attached to Markdown fields occasionally appeared twice in the online report.
Resolved an error when loading certain rare notifications.
Fixed an issue where non-custom short IDs on the assessment edit page were not automatically updated using the research start date.
Adjusted table margins to correct excessive spacing above text in some tables.
Fixed a rare exception when rendering the management results table to PDF.
Resolved an exception when rendering VRT classifications to PDF.
Fixed an issue in the results table component where resolved findings sometimes appeared in the wrong column.
Prevent lengthy usernames from overflowing from the menu and onto the page content.
The 'finding counts by severity' component (with the original severity option selected) now correctly links to the search page filtered by 'original severity' instead of 'current severity'.
Sections in the researcher panel now correctly display their folder color based on retest status.

2025.01.24

Download Show checksums

Improved researcher panel

We've revamped part of the researcher panel to make organizing your assessments easier and more efficient.

Rearrange sections and move findings between them with drag-and-drop simplicity in the new "reorder" view (accessible via the wrench icon).

Create and delete sections on the fly using the right-click context menu – no more page refreshes!

Access all section properties in a single, detailed view without leaving the page. Hover over icons for property details.

We have many more exciting improvements planned for the researcher panel to enhance your workflow further.

Highlight key details using callouts

Add visual emphasis to your content with callouts! Callouts help you emphasize key information, making your reports clearer and more impactful. Plus, they're rendered perfectly in PDF exports for a professional look.

More control over publishing findings, sections, and retests

We've enhanced how you share information with clients, giving you greater flexibility and control. You can now publish findings, sections, and retests independently, regardless of the overall review status.

Previously, clients could see findings, sections, and retests in two ways: automatically when approved by a reviewer, or when manually set to "published" status. This happened even if the overall assessment wasn't set to a completed status, which sometimes caused confusion.

Now, you decide what clients see and when. Keep everything under wraps until the assessment is complete, or share critical findings, sections, or retests immediately – the choice is yours!

How it works:

Publish individual findings, sections, or retests at any time, even if they're still in draft status. This allows for early collaboration and faster response to critical issues.
When your assessment is finalized, you can publish everything with a single click.

Example: Share a critical "draft" finding with your client so they can begin mitigation right away. They'll see the "draft" status and understand that details may be refined later.

Enhanced control over automated backups

We've added greater flexibility and control to automated backups:

Customize the size limits for your automated backups to optimize storage usage.
Stay informed with email alerts for successful backup operations (previously only sent for failures).
Set a warning threshold to be notified when backups approach the total size limit, allowing you to take proactive action.

For detailed information, see Documentation > General > Configuration > Backups for details.

Retests now available without client requests

You can now initiate retests without needing a client request. This new assessment setting is ideal if you don't plan on giving clients access to Reporter.

With this setting enabled, you can use all retest functionality, including the review process, with greater flexibility and without requiring client involvement.

Set your default preference for this setting in Settings > General > Assessment Defaults to apply it to all new assessments.

Other improvements

Targets are now optional. You can now create findings without targets.
Researchers can now edit each other's retests.
You can now customize the vertical padding in tables in your report themes.
Added functionality to import and export assessment templates as zip files.
Improved logic for when new versions are created.
Greatly improved performance of the API documentation page.
You can now add the number of findings in each category to the labels of the finding severity chart report component.
Added an option to show the original severities in the finding counts by severity components.
You can now use most assessment custom fields as placeholders on the front page of your reports.

Bug Fixes

Fixed a bug where the status of an assessment was not automatically set to scheduled when you set dates.
Fixed a bug where the markdown editor showed incorrect autocomplete suggestions when you are writing a code block caption.
Fixed missing translations for health check emails about automated backups.
Fixed a bug where you couldn't attach documents to a request for revision of an assessment section.

2024.12.17

Download Show checksums

This is a security and bugfix release. We recommend updating as soon as possible.

Security

A security issue related to the reauthentication process has been resolved.

Bug Fixes

We have fixed various issues relating to the new custom fields feature. Thanks to everyone who submitted feedback and reported bugs.

Fixed an issue where the names of finding fields (e.g., "Description") were not translatable. If you installed 2024.11.26 and are using multiple languages, please retranslate these field names.
Fixed an issue where custom field labels were not translated in reports.
Fixed an issue where creating webhooks from Zapier did not work.
Fixed an issue where custom select and multi-select fields broke if more than one was present on the same form.
Fixed suggesting a finding as a translation for a finding template.
Fixed an issue where the original severity of a finding was not struck through in the online report.
Fixed a bug where the header of a table was sometimes repeated on the next page, even after the caption.
Fixed a front-end error that occurred after editing a finding on the review page.

Improvements and Enhancements

Account managers now have limited access to all clients, allowing them to list all client names. This change addresses the issue where account managers unintentionally created duplicate clients due to not seeing that a client already existed.
Added placeholders for additional dates from the initial assessment phase.
Added a toggle to hide other assessments in the frequent assessment quick bar.

2024.11.26

Download Show checksums

Introducing Custom Fields and Finding Layouts

Designed to put flexibility and control at your fingertips. Add highly customizable fields to users, clients, assessments, and findings, and tailor the layout of findings to your exact needs. Use custom fields with your integration with external services - see our blog for an example integration with GitHub that utilizes custom fields, webhooks, and the Reporter API.

Custom fields can be added to findings, assessments, clients, and users:

For example, add an "About me" field to user profiles:

Create Fields of Any Type: From simple text and number fields to specialized options like email, URL, markdown, and multiselect, you can build forms that precisely reflect your requirements.

Customize Every Aspect of a Custom Field: Design fields to fit your exact needs with extensive customization options. Customize labels, API names, and tooltips of each custom field. Set up many types of validation rules to enforce data consistency. Mark fields as required, and apply type-specific settings for an optimized data entry experience. Every aspect of your custom fields can be tailored, making them as adaptable and detailed as your application requires.

Effortless Custom Field Translation: Add multilingual support by translating custom field elements with ease. When a custom field appears in a pentest report, it automatically aligns with the report’s language, displaying the appropriate translation. Provide a localized experience for all your clients across the globe without additional effort.

API Integration: Access and manage custom fields through the API, just like any standard field. Retrieve and update custom field data effortlessly, integrating it directly into your workflows.

Customize Finding Layouts: Take full control over your findings by customizing which fields are visible, setting conditions for when they appear, and adjusting their display format. Define the order and structure to create clear, organized layouts that align with your reporting needs, ensuring every assessment is presented exactly as intended.

New report component: charts

It is now possible to insert charts with finding statistics to your reports. These charts are generated automatically based on the status of your findings. Simply insert the chart component in your preferred location, and Reporter takes care of all the technical details when it's generating the report. Of course, the look of these charts can be fully customized in the theme editor!

Other improvements

Added a new option that allows findings to be shown as headers in the table of contents.
Theme options were added for centering narrow tables and figures on the report page.
When holding Ctrl to select multiple items in a multiselect form element, the scroll wheel now scrolls down the list of options, instead of zooming in or out.
HTML IDs and classes were added to analytics chart and table blocks, so that they can be targeted with custom CSS.
Tagged sections are now rendered as the name of the section in plain text if the section is not on the current report (just like findings).
Page number columns in the findings and action plan tables are now automatically hidden when rendering a management report.
The CWE list was updated to the latest version.

Bug Fixes

Re-added the upload button that went missing on the font page.
In translated reports the correct translation of the word "Table" is now used in all captions.
Fixed a bug when publishing a finding and changing its severity in the same request would cause the wrong original severity to be set if the finding had been published before.
Do not reset the original severity when a finding is published again.
Clicking links in the Table of Contents in the online report no longer reloads the page.
Fixed some minor bugs in the (multi)select component.
The assessment templates edit page now loads with the correct language for the sections.
Inline code no longer overlaps with surrounding text in the Markdown editor.
Used the correct font for inline code in image and table captions in the HTML report.
Made margins in the side-by-side view of the markdown editor look more consistent.
Malformed shortcode components in Markdown fields are handled better so that they don't cause report compilation to fail.
Another report compilation issue that happened when captions or copy tags contained shortcode components was resolved.
A visual bug was fixed where inline editing target credentials would cause the contents to float right.
A bug was fixed where the application logo and custom stylesheet would sometimes be deleted when submitting changes to the application settings.
When assessing a finding template suggestion, the tags are now copied correctly.
When uploading an invalid file the proper error message is now displayed.
The action plan inputs are no longer disabled when creating a new finding template suggestion.
After adding a file to the file upload component and clicking the "Undo" button, the file is no longer uploaded in some cases when submitting the form.