Require vulnerability approval

As an Organization Administrator, you can require administrative approval when closing vulnerabilities in your organization. You must be an Organization RulesAdmin with RulesAdmin permissions for the target application in order to approve or deny vulnerability closures.

To configure this requirement:

  1. In the user menu, select Policy management > Vulnerability management > Vulnerability behavior.

  2. Select the box next to Require administrator approval when closing vulnerabilities.

  3. Choose the statuses and severities of vulnerabilities that should automatically go into a Pending state when a user moves to close them.

  4. When a user requests to close any qualifying vulnerabilities, Contrast will notify you that your review is needed.

    To qualify for administrative approval, both a status and severity that you select in this configuration must apply to the vulnerability being closed.

    Each vulnerability status will remain Pending until you submit your review of the closure.

    If you deny the closure of a vulnerability, you must provide a reason for denial. Once confirmed, your feedback appears in the vulnerability's Activity tab.

    If you disable the feature, any pending closures are automatically approved.


While in a Pending state, the vulnerability's previous status still applies for the purpose of organizational reports and statistics.