Implemented

💯 New priority score: We have defined a new version of our vulnerability prioritization model. It is still based on CVSS and CVSSF scores, but now you can easily customize which of the following criteria have greater weight than others: fixing cost, dependency usage (in build or run), transitivity, EPSS, and KEV.

The Priority column in the weaknesses and vulnerabilities tables shows values in percentiles: the higher the percentile, the higher the remediation priority. For more details, check out these articles on prioritization policy management and vulnerability reporting in our Knowledge Base.

🪾 Safe dependency version: Now, in addition to reporting every vulnerable third-party software component you are using in your application, we show you which of its closest versions is free of known vulnerabilities. Soon, you will also be able to use Autofix from compatible IDEs to apply patches and minor fixes to your dependencies.

🌿 Enhancements to our IntelliJ plugin: We have already enabled Custom Fix—one of our GenAI-based vulnerability remediation support channels—for those who use our extension in IntelliJ IDEA. Soon, we will facilitate Autofix and reattacks features for the same IDE.

⛓️ Identify your vulnerable packages more easily: We continue to improve the user experience in the Inventory section of our platform so that you can make a more intuitive connection between the packages used in your application and their vulnerabilities. Remember that you can also get to know the dependency trees and map component licenses right there.

🏛️ Criteria has been moved: We now have the Fluid Attacks Database site, where you can access all our technical documentation (formerly known as “Criteria” in our Knowledge Base) related to security vulnerabilities, requirements, standards, and fixes. There, you can also stay up to date with all the advisories we collect and disclose.

Upcoming

🔝 Top 20 vulnerabilities: Coming soon, from the Vulnerabilities section on our platform, you will be able to quickly filter the top 20 vulnerabilities to be remediated according to their priority in the group.

⚠️Fluid Attacks call notice⚠️

A few months ago, our sales team may have been calling your team members to offer them onboarding and adoption of new features on our platform. This is a reliable procedure. However, if you have any questions, please contact us at help@fluidattacks.com.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

🤖 Added "Fix with AI" filter: Now you can prioritize the assignment and remediation of vulnerabilities based on the availability of AI-generated fixes. Within the Vulnerabilities table for each of your groups, in the filter menu, we have included the option “Fix with AI.” This allows you to list the vulnerabilities for which we can help you reduce remediation efforts with our GenAI-powered solutions.

🏗️ Redesigning the Surface section: We have started restructuring the Surface section, now renamed "Inventory" (a concept more aligned with our industry terminology). This section is now divided into two tabs:

• Packages: It shows open-source software components or third-party dependencies and Docker images in use within your repositories, as well as licenses and vulnerabilities associated with them. Here you can also generate SBOMs in a couple of clicks.
• Surface: It provides a technical overview of the target, including languages, lines, inputs, and ports.

Upcoming

🪸 Autofix for SCA results: We will start allowing this automatic remediation option for vulnerabilities found through SCA. Specifically, for those security issues that, in line with Semantic Versioning (SemVer), represent only "minor" changes.

📐 New priority score: We identified some errors to fix in the current mathematical model of our priority score. The new version of the priority model will be based on CVSS, but will incorporate additional criteria such as CVSSF, fixing cost, dependency usage (in build or runtime), transitivity, EPSS, KEV, and reachability. We will remove criteria related to the importance of the repository, detection technique, attack vector, and location impact.

🔩 Enhancements to our IntelliJ integration: Pending modifications for this IDE plugin include integrating it with our Autofix and Custom Fix remediation support, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

Deprecations

📈 "Severity" tab at the weakness level: For years, we have calculated severity for vulnerabilities (weaknesses in specific locations) and not just for general weaknesses (ignoring their location in the software under evaluation). The latter calculation is now obsolete and inaccurate, so we have decided to remove the Severity section from the weakness level and keep it only for the vulnerability level. This will take effect on October 1.

Additional information

💬 On our subprocessors: For Fluid Attacks, transparency is a fundamental principle of security. That is why, in the area of customer data management, we would like to inform you that we have now subscribed to the cloud monitoring subprocessor DataDog and are no longer using Coralogix and Mixpanel. For more information about our subprocessors, please visit our Trust Center.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

↔️ One image for each technique: To optimize the speed of our scans, both locally and in CI/CD pipelines, we decided to separate our tools, that is, to create a Docker image for each of our techniques. Each new image now displays CVSS 4.0 scores, and the SCA image provides details about the packages being evaluated, including the EPSS, the type of dependency, and the package version. On November 1, we will deprecate the current Docker image; therefore, we recommend that you initiate the transition soon.

⚠️ Improvements to the table of vulnerabilities: Above the table of vulnerabilities, you can now see a summary for each of your groups, including the number of weaknesses and vulnerabilities we have identified, how many of them you have already remediated, how many you can fix with the help of our GenAI, and how much risk exposure that group poses to your organization, among other things. Additionally, after right-clicking on each weakness in the table, you can open a new tab that will show all the vulnerabilities associated with it.

👩🏽‍🔧 Fixing support for all prioritized languages: Our GenAI features, Autofix and Custom Fix, now can work for all our prioritized supported languages.

🔧 Enhancements to Custom Fix from the platform: We have optimized the way we offer and present these AI-based vulnerability remediation guides to make your experience easier and more enjoyable.

🌳 Renewed IDE extension: Fluid Attacks' plugin for IntelliJ now supports the new version of this IDE.

❌ Zero risk notification: We introduced a new webhook event that notifies you when a vulnerability in your reports is marked as a true false positive (aka “true zero risk”).

Squashed bugs

✔️ Custom Fix broken: The Get Custom Fix button in our Visual Studio Code extension for generating vulnerability remediation guides was not working correctly.

✔️ Faulty root filter: The search bar in the Git Roots table did not filter when URL elements were entered into it.

✔️ Blank screen: In some cases, the platform ended up loading a blank screen instead of the expected content.

Promised but not implemented yet / Upcoming

🌿 Enhancements to our IntelliJ integration: Pending improvements for this IDE plugin include integrating it with our Autofix and Custom Fix remediation support, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

💯 New priority score: Several errors were identified that need to be corrected in the current mathematical model for this score. The new version of the priority model will be based on CVSS, but will incorporate additional criteria such as CVSSF, fixing cost, dependency usage (in build or runtime), transitivity, EPSS, KEV, and reachability. We will remove criteria related to the importance of the repository, detection technique, attack vector, and location impact.

🪾 Autofix for SCA results: We will begin enabling this automatic remediation option for vulnerabilities found through SCA. Specifically, for those flaws that, in line with Semantic Versioning (SemVer), represent only "minor" changes or updates.

🤖 Autofix filter: In the table of vulnerabilities, you will be able to easily filter security issues that have the automated remediation option provided by GenAI available.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

🔝 OWASP Top 10 for LLM applications report: We have included this relatively recent OWASP list as security criteria in our security testing. While several of the vulnerabilities that LLM applications and GenAI may have were already reported by us, we introduce these new types to our radar:

• 452. Prompt injection
• 453. Data and model poisoning
• 454. Improper output handling
• 455. Excessive LLM agency
• 456. AI misinformation

It is worth mentioning that the detection of some of these types of vulnerabilities depends on the tests performed by our pentesters, offered only in our Advanced plan.

🤖 MCP answers based on the KB: Our newly implemented Model Context Protocol (MCP) server is now able to answer your questions by resorting to information we have stored within our Knowledge Base.

Squashed bugs

✔️ Faulty group filter: When trying to find a group in the table through the search engine, it was not taking into account the characters that were part of the description of each group to deliver results.

✔️ Invalid compliance metrics: At least one of the standards within the Compliance list was showing an incorrect percentage value, so a general readjustment was made.

Promised but not implemented yet / Upcoming

👩🏽‍🔧 Fixing support for all prioritized languages: At Fluid Attacks, we currently have a list of prioritized supported languages. What we are looking to achieve is for the GenAI features Autofix and Custom Fix to work for all of these languages (our Knowledge Base already has many more examples of vulnerability remediation).

🌳 Enhancements to our IntelliJ integration: Pending improvements for this IDE plugin include integrating it with our Autofix and Custom fix remediation support, making it compatible with newer versions, and allowing users to view descriptions of their vulnerabilities and be directed to our platform from there.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

↔️ Design Map: Our platform's new Design Map section shows you the relationships we establish between elements of your company's threat model and the vulnerabilities in your software that we detect and report. This information allows you to prioritize vulnerabilities to be remediated according to the most critical risks to your business, defined by your teams beforehand. For more information about this feature and how to upload your threat model to the platform, we invite you to review the corresponding article in our Knowledge Base.

🤖 Model Context Protocol (MCP): Thanks to this evolving feature, you can query the platform using natural language to obtain information about your organization and groups, such as roots, vulnerabilities, analytics, executions of our CI Agent, unresolved events, and more. Currently in its beta version, MCP is a software component that allows different generative AI models to connect and work with our platform data to keep you informed according to your needs. Apart from the platform, it is available in Cursor, Claude, and Visual Studio Code. We invite you to review the corresponding article in our Knowledge Base for more information.

🧩 Cursor extension: Our Cursor plugin is now available for your developers. Thanks to it, they can identify affected lines of code or vulnerabilities we report to them and use the GenAI-powered Autofix and Custom Fix support options to remediate them without leaving their IDE. See the articles on how to install it and how to use it in our Knowledge Base.

🌳 More extensive reports from SCA: Now, for each vulnerability detected in third-party software components on which your application depends, you will be able to see much more details, which you can access from the Locations section. This includes, for example, the type of dependency, advisory ID, affected version, exploitation probability (EPSS), and reachability. For this last variable, we now handle three labels: "latent," "potential," and "reachable."

A latent vulnerability is present in a declared package, but your code doesn't call its associated function. A potential vulnerability means the function is called, but not necessarily in the way described in the CVE (it might depend on user input). Finally, a reachable vulnerability indicates the function is called exactly as described in the CVE; therefore, we're entirely sure attackers can reach it.

Squashed bugs

✔️ Manual reattacks in the Essential plan: Users who had switched from the Advanced plan to the Essential plan were allowed to request manual reattacks, even though the latter only offers automated assessments and reattacks.

✔️ Vulnerabilities in Docker images missing: Vulnerabilities present in our customers' Docker images were not shown in the main reporting table, but only in our platform's Surface section.

Upcoming

👩🏽‍🔧 Fixing support for all prioritized languages: At Fluid Attacks, we currently have a list of prioritized supported languages. What we are looking to achieve is for the GenAI features Autofix and Custom Fix to work for all of these languages, and our Knowledge Base to have many more examples of vulnerability remediation.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link! Now, you can also do it in Spanish:

Implemented

✅ Adequate inherited vulnerability categorization: Until recently, vulnerabilities in your third-party components or dependencies were grouped into categories of “use of software with known vulnerabilities” (011 and 393). Now, for the sake of analysis, prioritization, and management, these vulnerabilities are reported to you within their specific categories. So, for example, if a library in your software has an SQL injection vulnerability, it will not be reported as 011 or 393 but as SQL injection within the main list of vulnerability types in our platform.

💉 Vulnerabilities separated according to their origin: As part of the previous change, we want to make it easier for you to filter vulnerabilities. Therefore, in the Locations table of each type of vulnerability, you have the Origin column with two options: “Injected” for vulnerabilities generated in your code by your developers and “Inherited” for those in third-party components on which your application depends.

🌳 CI Agent for inherited vulnerabilities: In relation to the above, considering that previously you could accept vulnerabilities of types 011 and 393 into production, now, accordingly, you can configure our CI Agent to ignore inherited vulnerabilities, whether they are present in development, production, or both stages.

🚛 Specifications for testing in production: We have recently started providing production-phase security testing. To ensure the necessary precautions, whenever you register an environment for this type of assessment, you must specify it through the new corresponding tag in our platform. This information is reflected in the Environments table in the Scope section.

🆎 New languages and frameworks supported: As part of its constant improvement, we have started including several analysis methods for these languages and frameworks in the Fluid Attacks tool:

Languages

• Ruby
• Scala
• ARM
• Helm

Frameworks

• NextJS
• Next.js
• React Native
• Vue
• Ruby on Rails
• Starlette

For reachability analysis on SCA

• Kotlin
• Scala
• PHP
• DART

✅ Improved acceptance flow: We enhanced the flow of requesting, approving and rejecting temporary or permanent acceptance treatments for vulnerabilities for easier utilization of this functionality.

Squashed bugs

✔️ Discrepancies between graphs and report tables: In one of our charts in the Analytics section, the number of vulnerabilities shown did not match those reported overall and for specific periods.

✔️ Wrong organizational MTTR: The mean time to remediate (MTTR) for organizations in general, not groups, was incorrectly calculated because it didn't consider the number of vulnerabilities within each group.

Upcoming

🗓️ CVSS v4.0 complete transition: As previously announced, On April 4, 2025, our platform will ultimately transition to CVSS v4.0, deprecating support for CVSS v3.1. All reports and resources will be automatically updated, requiring no action from users. API users can still access CVSS v3.1 data until October 4, 2025.

🔁 Improved reattack flow: We are enhancing the reattack execution request flow by returning to a state where only two clicks are needed for such a request.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

Dear users,

As previously announced, we will fully transition to CVSS v4.0 and deprecate support for CVSS v3.1 next week.

Key points:

• Platform transition: April 4, 2025 - CVSS v4.0 will be the standard.
• Action required: No direct action is needed from users, as resources and reports will update automatically.
• API users: API access to CVSS v3.1 data will remain available until October 4, 2025.

Please ensure you have reviewed the CVSS v4.0 documentation and are prepared for this update.

We appreciate your cooperation.

We recently enhanced our platform's vulnerability categorization for third-party components and dependencies, improving reporting granularity and accuracy. This allows for more precise risk analysis and management.

Previously, inherited vulnerabilities were grouped under the categories of "use of software with known vulnerabilities" (011 and 393). Now, they're reported by specific vulnerability type (e.g., "SQL injection").

Furthermore, we make it easier for you to recognize them with the new Origin column in the Locations table. There, you see “Injected” for vulnerabilities generated in your code by your developers and “Inherited” for those in third-party components on which your application depends.

This change may have affected your remediation rates ⚠️

Formerly, a single affected location reported on our platform with the "vulnerability type" 011 or 393 represented an entire third-party component. But this component could, in reality, contain multiple vulnerabilities of different types (e.g., SQL injection, XSS, RCE), which are now listed individually.

This increased number of vulnerabilities could positively or negatively impact your remediation rates on our platform, depending on whether or not your inherited security issues had been previously addressed.

For questions, contact support at help@fluidattacks.com.

Thank you for your continued trust in our ASPM platform.

🎉 We're thrilled to announce that Fluid Attacks is now an AWS partner and is officially listed on FIRST's website as one of the vendors using EPSS in their products! 🎉

Upcoming

✅ Adequate inherited vulnerability categorization: So far, vulnerabilities in your third-party components or dependencies are grouped into generic categories of “use of software with known vulnerabilities” (011 and 393). Very soon, for the sake of analysis, prioritization, and management, these vulnerabilities will be reported to you within their specific categories. So, for example, if a library in your software has an SQL injection vulnerability, it will not be reported as 011 or 393 but as SQL injection within the main list of vulnerability types in our platform. (Coming up on March 10.)

🗓️ CVSS v4.0 transition is one month away: Mark your calendars! On April 4, 2025, our platform will ultimately transition to CVSS v4.0, deprecating support for CVSS v3.1. All reports and resources will be automatically updated, requiring no action from users. API users can still access CVSS v3.1 data until October 4, 2025.

Implemented

✂️ Dissolve the Vuln. Management menu: Some users had trouble finding the Locations tables' treatment acceptance/rejection and vulnerability reattack buttons. Therefore, we made them instantly visible in that section, discarding the previously implemented Vuln. Management menu.

Squashed bug

✔️ Inconsistency in severity reporting: Discrepancies were observed between the CVSS scores assigned to certain vulnerabilities within our VS Code extension and those reported on our platform.

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!

🎉 We're thrilled to announce that Fluid Attacks is now an AWS partner and is officially listed on FIRST's website as one of the vendors using EPSS in their products! 🎉

Implemented

🔤 Renaming roles: The name "User Manager" was used both at the group and organization levels within the platform when, in fact, it referred to two different roles. Hence, to avoid confusion, mainly regarding permissions, the name was changed to "Group Manager" for the former and "Organization Manager" for the latter.

🏛️ Enhanced access and control: Contrary to what happened a short time ago, when an Organization Manager is invited from within the organization, they automatically gain access to all existing and future groups. In addition, they are assigned Group Manager privileges in each group, ensuring consistency and complete control.

Squashed bug

✔️ Incomplete customized reports: When exporting a customized technical report, some vulnerability records that met the filters selected by the user were not displayed in the report, thus affecting the reliability of this platform function.

✔️ Failure to register URL environments: The platform could not register URL environments accessed through ZTNA or Egress due to an error in the validation of variables.

Upcoming

✂️ Dissolve the Vuln. Management menu: Some users had trouble finding the Locations tables' treatment acceptance/rejection and vulnerability reattack buttons. Therefore, we will make them instantly visible in that section, discarding the previously implemented Vuln. Management menu. (Coming up on February 28.)

✅ Adequate inherited vulnerability categorization: So far, vulnerabilities in your third-party components or dependencies are grouped into generic categories of “use of software with known vulnerabilities” (011 and 393). Very soon, for the sake of analysis, prioritization and management, these vulnerabilities will be reported to you within their specific categories. So, for example, if a library in your software has an SQL injection vulnerability, it will not be reported as 011 or 393 but as SQL injection within the main list of vulnerability types in our platform. (Coming up on February 28.)

✨Have 10-15 minutes to spare?✨

Share your opinions on our AppSec solution on Gartner Peer Insights and earn a $25 gift card! Your feedback helps others make informed decisions and shapes the future of application security. Just follow this link!