Finding with different scenarios

Hello guys.
I’m reporting a vulnerability to add in a previous finding, but I see the actor and scenario are differents, e.g., one scenario could be an authorized Internet user, while the other could be Anonymous from Internet. I consider the scenario reported must be the one with greater impact regards to confidentiality, integrity or availability, but I’d like to know the opinion of my colleagues .


1 Like

Hi, great question. Can you please add more details on what finding are you reporting? This is to establish if it’s better to report a separate finding with a new last name.

Seems that should be in a different finding, because the actor and impact are different


Hi. The finding is FIN.H.0037. Leakage of technical information, The first scenario occurs when an logged user make a request with errors, the second scenario occurs if anyone on Internet try to access a non browsable directory. I was also told that if the remmediation is the same, the new vulnerability should be add to the previous finding.

Greetings and thanks for your answers

I agree with @blue-snot. The scenarios are different so the score must be different and hence a new finding must be filed.

Thank you for clarifying this scenario. I’ll continue applying this criteria with future findings

Please check the appropriate answer to solve the thread.