Skip to main content

Workflow Status

Vulnerability Lifecycle in Conviso Platform​

In the Conviso Platform, vulnerabilities follow a structured lifecycle that supports continuous validation and traceability.

Standard Lifecycle Flow​

Created > Identified > In Progress > Awaiting Validation > Fixed ↺ If detected again → Identified

This flow ensures that vulnerabilities are never considered permanently resolved without technical evidence.

Status Categories and Behavior​

Statuses are divided into technical statuses and decision statuses.

Status Overview​

Created

  • Category: Technical
  • Automatic Change: Yes
  • Description: Initial registration of the vulnerability.

Identified

  • Category: Technical
  • Automatic Change: Yes
  • Description: Vulnerability confirmed after human review or AI Agent analysis. This status is assigned once the finding has been analyzed and validated, whether it originated from an automated scan or was created manually.

In Progress

  • Category: Decision
  • Automatic Change: No
  • Description: Remediation activities are currently underway.

Awaiting Validation

  • Category: Decision
  • Automatic Change: No
  • Description: The remediation has been completed by the development team and is awaiting validation or approval by another responsible party, such as a security team or a security champion. This status is used when the fix requires an additional internal review before being considered resolved, for example in organizations where changes deployed to production must be reviewed by a security team prior to final closure.

Fixed

  • Category: Technical
  • Automatic Change: Yes
  • Description: The vulnerability is no longer detected or has been validated as resolved.

Risk Accepted

  • Category: Decision
  • Automatic Change: No
  • Description: The risk associated with the vulnerability has been formally accepted.

False Positive

  • Category: Decision
  • Automatic Change: No
  • Description: The vulnerability has been confirmed as non-exploitable.

Final vs Non-Final Statuses​

Final statuses

  • Risk Accepted
  • False Positive

These represent explicit human decisions and cannot be reverted automatically.

Non-final statuses

  • Created
  • Identified
  • In Progress
  • Awaiting Validation
  • Fixed

These may change based on human interaction or new scan evidence.

Understanding the Fixed Status​

The Fixed status represents a validated outcome, not a permanent decision. A vulnerability may be marked as Fixed in two situations:

  • Scan-based Evidence (Automatic): The vulnerability is not detected in the most recent scan for the same fingerprint (file, dependency, endpoint, image, etc.).
  • Human Declaration Awaiting Validation (Manual): A developer or security engineer declares that remediation is complete. The vulnerability is marked as Fixed, pending confirmation via a new scan.

Important Characteristics

  • Fixed can be set automatically (scan evidence) or manually (remediation declaration)
  • If detected again, the status automatically reverts to Identified
  • Fixed does not imply risk acceptance

Contribute to the Docs

Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.

How to contribute

Resources

By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.

Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.

Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.