Skip to main content
POST
/
v1
/
organizations
/
{organizationUid}
/
suspected-vulnerabilities
Add suspected vulnerabilities for an organization
curl --request POST \
  --url https://{environment}.synack.com/api/vulnerability/v1/organizations/{organizationUid}/suspected-vulnerabilities \
  --header 'Content-Type: application/json' \
  --data '
[
  {
    "name": "<string>",
    "location": "<string>",
    "cvssScore": 123,
    "cvssVersion": 123,
    "lastFoundAt": "2023-11-07T05:31:56Z",
    "source": "<string>",
    "description": "<string>",
    "cves": [
      "<string>"
    ],
    "cwes": [
      "<string>"
    ],
    "category": "<string>",
    "firstFoundAt": "2023-11-07T05:31:56Z",
    "solution": "<string>",
    "confidence": "certain",
    "severity": "critical",
    "assetUid": "<string>",
    "listingUid": "<string>",
    "owaspIds": [
      "<string>"
    ],
    "vendorRiskScore": 123,
    "httpRequest": "aSDinaTvuI8gbWludGxpZnk=",
    "httpResponse": "aSDinaTvuI8gbWludGxpZnk="
  }
]
'
[
  123
]

Path Parameters

organizationUid
string
required

Unique identifier for the organization

Body

application/json

Request body containing the list of objects, describing the properties of suspected vulnerabilities to create

name
string
required

The name (also known as title) of the suspected vulnerability

location
string
required

Location of the suspected vulnerability, keeps information about where the it was discovered

cvssScore
number<float>
required

CVSS base score of the vulnerability, valid values are from 0 to 10 inclusively. See https://www.first.org/cvss/ for further details.

cvssVersion
number<float>
required

Version of CVSS base score, positive float number. See https://www.first.org/cvss/ for further details.

lastFoundAt
string<date-time>
required

Date and time when the suspected vulnerability was detected for the last time on the asset, in RFC 3339 format, with sub-second precision added if present.

source
string
required

Identifier of the source of the suspected vulnerability. Usually it points to a scanner name. It should contain only lowercase alphanumeric chars and hyphens. It should start with a letter.

description
string

Optional detailed description of the suspected vulnerability

cves
string[]

Optional list of IDs of Common Vulnerabilities and Exposures (also known as CVE), in "CVE-YYYY-N" format. See https://www.cve.org/ for details

cwes
string[]

Optional list of IDs of Common Weakness Enumeration (also known as CWE), in "CWE-N" format. See https://cwe.mitre.org/ for further details.

category
string

Optional category of the suspected vulnerability, as human readable string. Usually it is scanner dependent. For instance, in Tenable it is called family.

firstFoundAt
string<date-time>

Optional date and time when the suspected vulnerability was detected for the first time on the asset, in RFC 3339 format, with sub-second precision added if present.

solution
string

Optional description of actions that could be taken in order to remediate the vulnerability.

confidence
enum<string>

Optional confidence of the suspected vulnerability. Usually it is scanner specific. For example, it is called confidence in Burp Suite, Quality of Detection in OpenVAS. Tenable doesn't have any at all.

Available options:
certain,
firm,
tentative
severity
enum<string>

Optional severity of the suspected vulnerability. Usually it is scanner specific. Sometimes it is calculated from CVSS Base Score.

Available options:
critical,
high,
medium,
low,
informational
assetUid
string

Optional unique identifier of the asset, where the suspected vulnerability was discovered. When set, must contain only lowercase hex digits. When not set, asset will be created based on location property.

listingUid
string

Optional unique identifier of the assessment (also known as listing), that should be used to assign to when creating new assets. Used only when assetUid property is set. If set, must contain only lowercase alphanumeric characters.

owaspIds
string[]

Optional list of OWASP identifiers. These identifiers are standardized labels used to categorize security vulnerabilities according to the OWASP (Open Web Application Security Project) Top 10 framework - a globally recognized list of the most critical security risks to web applications. The identifiers follow a specific format - "A##:YYYY" where "A##" is position in the OWASP Top 10 list (e.g., A01, A02, A03); "YYYY" is year of the OWASP Top 10 publication (e.g., 2017, 2021, 2024)

vendorRiskScore
number

A risk score value provided by the vendor of the imported vulnerability. This can differ from vendor to vendor. For example, Qualys QDS has a range from 1 to 100, Tenable VPR is 0.1 – 10.0.

httpRequest
string<byte>

If the HTTP request, used to discover the suspected vulnerability is known, it should be placed here as is, including all the request headers.

httpResponse
string<byte>

If the HTTP response, used to discover the suspected vulnerability is known, it should be placed here as is, including all the response headers.

Response

Response to a POST request, inserting new suspected vulnerabilities for the organization