Here are all possible states of reports:
New - once a report has been submitted it receives a New state. At this stage it’s possible to delete a report, if you have changed your opinion.
In Review - The triage team starts the validation process of the submission.
Need More Info - if the triage team needs additional details for validation they ask for it. If we don’t hear back from you for more than 30 days, such report will be automatically closed.
Triaged - once we approve the report, it goes forward to the client’s security team to fix the vulnerability.
Resolved - the report was valid and was fixed.
Duplicate - the reported vulnerability has been reported before.
Informative - the report was useful for the company but there is no need in immediate action or a fix.
Out of scope - the report was useful for the company but the issue is not in the focus of the program.
Not Applicable - the report was not valid or it’s not connected with security of the application.
Spam - the report was not a valid security issue or didn’t have any useful information for the company.
Disclosed - the report is disclosed to the public.