The four-stage review pipeline
Stage 1: Submission — "Pending"
Your report enters the review queue immediately after submission. An automated check runs to verify completeness and formatting. Based on the report type and content, the system assigns the report to an experienced community reviewer with relevant expertise.
Stage 2: Initial review — "In Review"
A community reviewer examines your report in detail. During this stage they:
- Analyze the malicious code or behavior you described
- Cross-reference findings with known vulnerabilities and threat intelligence
- Verify that evidence links and sources are accessible and support the claim
- Check for duplicate reports in the database
- Assess whether the severity level you selected is appropriate
Stage 3: Verification — "Under Verification"
High-severity or complex reports may require additional review time beyond these estimates. You will receive a notification if your report moves into extended review.
Review criteria
Reviewers evaluate reports against four criteria. Addressing all four in your submission gives your report the best chance of being verified on the first pass.Evidence quality
Evidence quality
Strong evidence is the most important factor in a successful review. Reviewers assess whether the evidence you provided clearly demonstrates malicious intent. Links to official advisories such as OSV or GHSA entries significantly strengthen a report compared to descriptions alone.
Technical accuracy
Technical accuracy
The threat description and payload details must be technically correct. Reviewers verify that the malicious behavior is described accurately and that the severity level reflects the actual impact of the threat.
Completeness
Completeness
Reports should include all relevant information: affected versions, publisher details, and a comprehensive description of the threat. Incomplete reports may be returned with a request for additional information before they proceed.
Uniqueness
Uniqueness
Reviewers check whether a report already exists for the same threat. If a similar report is found, the reviewer may merge the information or mark the submission as a duplicate. Use the Browse Threats page before submitting to avoid this outcome.
Possible outcomes
After review is complete, your report will receive one of the following outcomes:| Outcome | What it means |
|---|---|
| Verified | Your report is confirmed as accurate and published to the database. You receive points for the contribution. |
| Needs more information | Reviewers require additional details or evidence. You will be notified about exactly what is needed. |
| Modified | The report is verified but required corrections — for example, a severity adjustment or additional context. Your original submission still receives attribution. |
| Rejected (false positive) | The resource is not malicious. False positives are tracked on your profile, so careful verification before submitting is important. |
| Duplicate | A report for this threat already exists in the database. Check the Browse Threats page before submitting to avoid this outcome. |
Expected timeline
| Step | Timing |
|---|---|
| Initial automated checks | Immediate |
| Assignment to a reviewer | 1–6 hours |
| Initial review completion | 6–24 hours |
| Final verification (if needed) | 24–48 hours |
Version control and updates
Verified threats can be updated as new information becomes available. When a verified threat is modified:- The previous version is archived and remains accessible for reference
- All changes are tracked with timestamps and the identity of the modifier
- The threat status changes to Modified to indicate that updates have been applied
- Original submitters retain full attribution for their discovery
Who reviews reports
Reports are reviewed by trusted community members who have demonstrated expertise in security research:- Security researchers with proven track records
- Contributors with a history of high-quality submissions
- Platform moderators and administrators
- Domain experts in specific ecosystems such as npm, PyPI, or container registries