Statuses
These are the current workflow statuses for vulnerabilities.| Status | Meaning |
|---|---|
| Open | New vulnerability, not yet reviewed |
| Confirmed | Verified as a real issue |
| Needs Review | Requires human attention |
| In Progress | Being worked on |
| In Review | Fix submitted, under review |
| Resolved | Final state for remediated vulnerabilities. Resolution required |
| Closed | Final state for Won’t Fix, False Positive, Duplicate, or other non-remediation outcomes. Resolution required |
Status notes
- When you move a vulnerability to Resolved or Closed, a resolution is required
- Available transitions depend on the current status
- A final vulnerability can be reopened manually only when Cysmiq still has an active location for it
- If all locations are fixed, future redetection by a scan is the path that reopens the finding
- Reopening a final status is tracked as a regression and shown in the vulnerability detail view
Resolutions
Resolutions describe the outcome when a vulnerability is marked Resolved or Closed.| Resolution | Meaning |
|---|---|
| Fixed | Issue was fixed |
| Won’t Fix | Accepted risk, will not fix |
| False Positive | Not a real issue |
| Duplicate | Same as another vulnerability |
| Cannot Reproduce | Unable to verify |
| Done | Completed |
| Rejected | System-only, set when analysis determines it is not a vulnerability |
False positive workflow
Use this workflow when the development team confirms that a finding is invalid or does not represent an actionable vulnerability.- Open the vulnerability detail view.
- In the Status and resolution sidebar control, choose Closed.
- Choose False Positive as the resolution.
- Add a comment with the decision context, such as the reviewer, evidence, or linked discussion.
- Save the status change.