Skip to main content

Require vulnerability approval

As an Organization Administrator, you can require administrative approval when closing vulnerabilities in your organization. You must be an Organization RulesAdmin with RulesAdmin permissions for the target application in order to approve or deny vulnerability closures.

To configure this requirement:

  1. In the user menu, select Policy management > Vulnerability management > Vulnerability behavior.

  2. Select the box next to Require administrator approval when closing vulnerabilities.

  3. Choose the statuses and severities of vulnerabilities that should automatically go into a Pending state when a user moves to close them.

  4. When a user requests to close any qualifying vulnerabilities, Contrast sends an in-app notification to all Organization Administrators saying that a review is needed.

    Each vulnerability status will remain Pending until an Organization Administrator submits a review of the closure. To qualify for administrative approval, both a status and severity must be selected.

    If a reviewer denies the closure of a vulnerability, they must provide a reason for denial. Once confirmed, the reviewer's feedback appears in the vulnerability's Activity tab.

    If you disable the feature, any pending closures are automatically approved.


While in a Pending state, the vulnerability's previous status still applies for the purpose of organizational reports and statistics.