Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Mark vulnerability as risk accepted
You can mark vulnerabilities as risk accepted when remediation isn't feasible or when you've addressed the risk through other means. Risk accepted requests go through an approval workflow before they take effect.
Prerequisites
- You must have write permission on risk accepted requests.
Risk accepted types
When marking a vulnerability as risk accepted, you must choose one of the following types:
- Won't Fix: The team won't remediate the vulnerability. Use this when the cost or effort of fixing the vulnerability outweighs the risk.
- Mitigated: Compensating controls or other measures reduce the risk, even though the vulnerability itself isn't fixed.
Mark a single vulnerability
- Navigate to the project and open the Vulnerabilities tab.
- Click the page icon on the right side of the vulnerability row to open the vulnerability details.
- In the vulnerability details drawer, find the Risk Accepted section.
- Choose a type: Won't Fix or Mitigated.
- Fill in the following fields:
| Field | Description | Required |
|---|---|---|
| Type | The risk accepted type: Won't Fix or Mitigated. | Yes |
| Description | A description explaining why you're accepting the risk. | Yes |
| Expiration Date | Enable the toggle and choose a date and time if you want the risk accepted status to expire automatically. If not set, the status doesn't expire. | No |
- Click Mark as Risk Accepted.
The request enters a Pending state until an administrator approves or rejects it.
Mark vulnerabilities in bulk
- In the vulnerability list, check the boxes for the vulnerabilities you want to mark.
- Click the Actions dropdown and choose Risk Accepted.
- Set the Status to Mark to apply a risk accepted status, or Unmark to remove it.
- Choose the Type: Won't Fix or Mitigated.
- Fill in the Description and optionally set an Expiration Date.
- Click Mark as Risk Accepted.
After the bulk action completes, a summary shows:
- Successful transactions: Vulnerabilities that Invicti AppSec processed successfully.
- Failed transactions: Vulnerabilities that Invicti AppSec couldn't process, with error details.
- Untouched transactions: Vulnerabilities that Invicti AppSec skipped.
Approval workflow
Risk accepted requests go through the following statuses:
- Pending: The request is waiting for review.
- Approved: An administrator approved the request. The vulnerability is now marked as risk accepted.
- Rejected: An administrator rejected the request.
- Expired: The risk accepted status expired based on the expiration date.
Administrators can approve or reject pending requests from the vulnerability details drawer. The requester can cancel a pending request.
Unmark risk accepted
To remove a risk accepted marking:
- From the vulnerability details: Open the vulnerability details drawer and change the Risk Accepted toggle to No.
- In bulk: Check the vulnerabilities, click Actions > Risk Accepted, set the Status to Unmark, and submit.
Edit the expiration date
You can edit the expiration date of an existing risk accepted marking from the vulnerability details drawer.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center