Search Go hack yourself with Detectify

An EASM blog from Detectify

GUIDE: The false positive report process

November 19, 2015

My name is Linus Särud. I’m a Detectify Security Researcher and responsible for incoming support emails. Going forward, we will identify popular subjects from the Detectify support and write about them on our blog, for a more open and transparent communication with our users. This is both to ensure that you use our product in the best way possible, and to give attention to those of our users who continuously help us improve our service for it to be as accurate as possible.

We have received some questions about false positives, so this seemed like a good subject to start with.

What exactly happens when you report a false positive?
Detectify has identified over a million vulnerabilities on the websites that were scanned. . Less than <0.1% of all those are reported as false positives. False positives are findings that are detected as vulnerabilities when they actually are not – and we are working hard to minimize the occurrence of these to ensure a more accurate result.

When you report a false positive (i.e., a vulnerability that isn’t really a vulnerability), mainly three things happen:

• The finding is marked as a false positive in the report.

• The false positive status is saved in a database, so that we can filter out similar findings in future reports. .

• An email is sent to an employee who handles these cases for each report. That’s usually me. We make sure to follow up on every report manually.

Individual review of all reports
As we manually review every false positive report it helps if you are detailed in your description in the report. This applies to all kinds of questions and feedback that you send to the Detectify support.

• In cases where we can confirm that the vulnerability actually exists, and therefore is not a false positive, we try to explain this to the user, as there has clearly been some kind of misunderstanding.

• In cases where we fail to confirm the vulnerability, and that it’s therefore likely to be an actual false positive, we file a report in an internal bug tracker. These reports are then reviewed by the developers of the web service.

When it has gone through these steps and it is confirmed to be a valid false positive, we try to find the issue, fix it and then add it to a future release.

So by reporting false positives you help improving Detectify. Thank you for this and keep reporting!

Linus Särud
Security Researcher