search

Understanding Findings

A finding is a security vulnerability or weakness that our researchers have discovered during testing. Every finding is documented with enough detail for your development team to understand the issue and fix it. This page explains how findings work and how to manage them in the portal.

hashtag
What a Finding Contains

When you open a finding, you will see the following information:

  • Title -- A clear, descriptive name for the vulnerability

  • Severity -- How serious the issue is (Critical, High, Medium, Low, or Informational). See Severity Levels Explained for details.

  • Status -- Where the finding is in the resolution process

  • Description -- A detailed explanation of what the vulnerability is and why it matters

  • Impact -- What could happen if the vulnerability were exploited by an attacker

  • Steps to reproduce -- A clear walkthrough showing how the issue can be demonstrated

  • Evidence -- Screenshots, request/response samples, or other proof that the vulnerability exists

  • Recommendation -- Guidance on how to fix the issue

  • Affected asset -- Which application, URL, or system is affected

Finding detail page showing severity, description, impact, and recommendation
A finding detail page -- everything you need to understand and fix the issue

hashtag
Finding Statuses

Each finding moves through a defined workflow as your team addresses it:

Status
What It Means

Open

The finding has been identified and is waiting to be addressed by your team

In Progress

Your team is actively working on a fix

Fixed

Your team has applied a fix and the finding is ready for verification

Verified

The Catchify team has confirmed that the fix resolves the issue

Accepted Risk

Your organization has acknowledged the finding but decided not to fix it at this time

The typical flow is: Open --> In Progress --> Fixed --> Verified

circle-info

When you mark a finding as Fixed, you can request a retest so the Catchify team can verify the fix. See Requesting a Retest for more details.

hashtag
Browsing Your Findings

The Findings page gives you a complete list of all vulnerabilities across your projects. You can use filters to narrow down what you see:

  • By severity -- Focus on critical and high findings first

  • By status -- See only open findings, or review what has been verified

  • By project -- View findings for a specific engagement

  • Search -- Find specific findings by keyword

Findings list page with filter options for severity, status, and project
Filter and search your findings to focus on what matters most

hashtag
Adding Comments

You can add comments to any finding to communicate with your team or the Catchify team. Comments are useful for:

  • Asking questions about a finding

  • Providing context about your environment

  • Noting progress on a fix

  • Requesting clarification on the recommendation

To add a comment, open the finding and scroll to the Comments section at the bottom of the page. Type your message and click Add Comment.

hashtag
Exporting Findings

You can download your findings in multiple formats for sharing with your team:

  • PDF report -- A formatted document suitable for management review

  • CSV export -- A spreadsheet format for tracking and analysis

circle-check

We recommend reviewing new findings within 48 hours of them being reported. The sooner your team starts working on fixes, the shorter your window of exposure.

hashtag
Working with Your Development Team

Findings are written to be actionable. Share them directly with your developers by:

  • Sending them a link to the finding in the portal (if they have access)

  • Exporting findings and assigning them in your issue tracker

  • Using the Jira integration to automatically create tickets from findings

The combination of detailed descriptions, reproduction steps, and remediation guidance gives your development team everything they need to resolve the issue.

PreviousYour ProjectsNextSeverity Levels Explained

Last updated