search

praetorian-inc / chariot-ui

Chariot Offensive Security Platform
https://preview.chariot.praetorian.com
MIT License
15 stars 6 forks source link

Vulnerability Substates #75

Closed treburn closed 1 week ago

treburn commented 2 weeks ago

Change "Closed - Accepted" to "Open - Accepted" Change "Closed - Rejected" to just "Rejected" (Closed is generally for only after we open a risk and they've fixed it. We go from triage to Rejected if the risk is a false positive. This will also pave the way for substates of Rejected for our ML team) Hide "Rejected" from the UI after rejection.

Let me know if there's any confusion or discussion to be had around this topic.

peter-kwan commented 2 weeks ago

@treburn -- It seems like "Accepted" has two common semantic:

  1. An accepted risk in the Closed/Rejected state, meaning "I am ok to have this risk on my systems and I accept the associated troubles". In some systems, this is named as "Closed (accepted risk)".
  2. An accepted risk in the Open state, meaning "The MSP team triaged the risk and accept that as a valid one."

Is this how you see the semantic too?

treburn commented 2 weeks ago

I don't think we should close a risk just because they "accept" it as a risk. It should either be closed or open. The label itself can just say "Accepted Risk" if we want and we will treat it as an open risk but report on it differently for their team.

privateducky commented 1 week ago

@treburn we went a few cycles on this topic and reoriented our statuses. can you re-review and let me know if you think we should adjust.

treburn commented 1 week ago

Good to close this out, thanks!