Releases

2021.11.02

Download Show checksums

Additions

  • Cloned findings can now be deleted in the original assessment.
  • Added a 'Severity Only' scoring system that lets you select a severity from 'Info' to 'Critical' without providing impact/likelihood or CVSS metrics.

Changes

  • 'Researcher briefing updated' notifications are now only sent if the assessment status is active or under review

Bugfixes

  • Fixed an issue where notifications about new tasks would count tasks that were already completed.
  • Fixed a bug where toast notifications without a sender would not appear.
  • Sign-in with Google/Microsoft is now blocked in Internet Explorer.
  • Fixed a bug where a vulnerable finding could be created without a status. This made it impossible to move them to a new assessment.
  • Fixed a bug where some Acunetix, all Burp Suite and VulnDB templates had a severity of Not Applicable
Read more

2021.10.14

Download Show checksums

Real-Time Notifications 

This release adds real-time notifications for users. By clicking on the bell icon real-time notifications can be paused.

Reporter real-time notifications

Real-time notification functionality is only available when Pusher has been configured. 

Besides real-time notifications, the logic behind the notifications has improved, resulting in less email being sent and content that is more relevant.

Bugfixes

  • Fixed a bug where a deadline of a previous phase was shown on the dashboard and assessment show pages.
  • Fixed a bug where copy to clipboard after inline edit would copy old results.
  • Inviting a user or removing a user now always adds/removes their icon on the assessment show page.
  • Creating a finding from a template no longer stores the classifications from the template not used in the assessment.
Read more

2021.10.05

Download Show checksums

Assessment Schedule

Several new dates have been added for the assessment phases. Each phase now has a 'Research Start Date' and a 'Research Deadline', a 'Review Start Date' and a 'Review Deadline', and a 'Delivery Date'.

A schedule/agenda view has been added for assessment phases, accessible via the main menu. Each phase is separated into Research, Research Overtime, Review, and Finalization steps. The schedule can be filtered by assessment and user.

Security Reporter Schedule

The dashboard assessments table now shows users based on the assessment's status. It shows the researchers assigned to the latest phase if for 'Active' assessments, reviewers for 'Under Review', and any assessment managers for other statuses. This should give a much better overview of who is supposed to be working on which assessment right now. In addition, clients now always see the managers of an assessment in a contacts column.

Task Deadlines

Tasks now have deadlines. Most task deadlines are based on the deadline set in the current assessment phase. For example, a task to review a finding will use the 'Review Deadline' as a deadline.

  • Deadlines for custom tasks can be set when creating or editing them.
  • Deadlines for tasks from task sets can be preset in the task set before or in the individual tasks afterward.
  • Deadlines for tasks that don't relate to assessment phases, such as global tasks or comment tasks, can be set in business days from the Settings > Settings > Functionality page.

Tasks are only shown in the various overviews if they are relevant based on the assessment's status. For example, a task to add a finding to a section that requires findings is not shown until the assessment status is set to  'Active'.

A task overview has been added to the dashboard. For researchers, this shows how many tasks they have in each assessment, and how many of them are due in the future, today or in the past. Admins also have a tab to show unassigned tasks, and one to show tasks that are due today or overdue.

Security Reporter Dashboard Tasks

Other new and improved features

  • Scheduled assessments are now automatically set to 'Active' on the Research Start Date.
  • Added a 'Complete Assessment' button to the researcher panel if there are no caution tags, no drafts, and the assessment is has a 'Review Completed' status.
  • Assessment Phases are now completed when the assessment is. Only one uncompleted phase can exist.
  • Requesting a retest now also creates a retest phase if no uncompleted retest phase exists.
  • Impersonating a user now creates an activity.
  • Users of Internet Explorer now see a warning that their browser is not supported and can no longer log in.
  • Added search functionality and filters to clients.
  • Improved the links in some tasks to lead directly to the associated event or (prefilled) form.
  • Added (deactivated) after the names of blocked users in the application. This is not shown in reports, emails, or the API.


Bugfixes

  • Fixed a typo in the caption of the results table component.
  • Fixed a bug where no activity was created when deleting a finding.
  • Fixed several issues on the review page related to loading new pages in the tabs.
  • Fixed a bug where documents could not be retrieved via the API.
  • Fixed a bug where filtering activities in an assessment could show activities from other assessments.
  • Fixed an issue where date pickers would not close when clicking outside them.
  • Fixed an issue where finding templates weren't updated in Elasticsearch when their associated sections changed.
Read more

2021.09.13

Download Show checksums

Support for CWE and CAPEC Classifications

The classification of findings has been reworked. MITRE Common Weakness Enumeration (CWE), MITRE Common Attack Pattern Enumeration and Classification (CAPEC), and Bugcrowd Vulnerability Rating Taxonomy are currently supported. For MITRE based classifications, it is possible to examine the entries by using views.

Reporter CWE selection

The classification systems used can be set for each assessment, and the default classification systems for new assessments can be set from the settings page. Classifications have been added to finding templates where available.

Other new and improved features

  • Researcher panel buttons have been reworked.
  • Sections that contain caution tags are displayed with an icon in the researcher panel.
  • The action-required tooltips in the researcher panel have been improved.
  • Docker image is now based on Debian Bullseye.
  • Snippets for OWASP and CVSS risk assessment sections are now seeded and included in the relevant sections of seeded assessment types and assessments.
  • Blocking/Deleting of users has been improved.

Bugfixes

  • Fixed a bug where the copy markdown button didn't work after editing a markdown field.
  • Fixed caution tags in retests check.
  • Added existence checks for broadcasting. Loading broadcast channels will no longer rarely crash if a model has been deleted or access has been revoked.
  • Copy tags are now removed from the PDF instead of being shown as "[copy][/copy]" in reports.
Read more

2021.08.09

Download Show checksums

Activity Functionality

New Activity functionality is now available via the main menu. An overview screen shows the activity per assessment in the last seven days. Besides this, it is possible to filter and search in all logged assessment activities. The activity pages have been polished, so it is easier to keep an overview.

Other new and improved features

  • Versioning for finding templates.
  • Via a new button in the researcher panel, a researcher can now easily change the assessment to "Under Review" when the active research stage has been completed.
  • Via a new button in the researcher panel, a reviewer can now easily change the assessment status to "Review Completed" when the review has been completed.
  • Docs are now available via docs.securityreporter.app.
  • PHP-FPM directives are now configurable via env vars.
  • The researcher tree will now show an icon when a caution tag is present.
  • Fix order of finding version fields to be consistent with the ordering everywhere else.
  • Improved notifications are presented to client users when viewing an assessment that has not been completed yet.
  • The Reporter Docker container has been improved. 
  • Added a CVSS risk assessment table (component).
  • Breadcrumbs have been shortened to increase readability.
  • In target import, importable targets are now shown with the assessment title and date.

Bugfixes

  • Fixed broken links in assessment result tables of the HTML report.
  • Deduplicate VulnDB templates.
  • Fix links to Reporter settings in new environments.
  • Fixed exception in email-address-changed email.
  • Fixed a forbidden redirect when editing an assessment section as a researcher.
Read more