Add “Mitigated” as a Third Acknowledgement Reason for Issues

We would like the ability to acknowledge an issue using a third reason in addition to the current Acceptable Risk and False Positive options.

Today, when we acknowledge an issue, we have to classify it as either something we accept as risk or something we believe is a false positive. However, there are cases where the finding is not a false positive, and we are not simply accepting the risk. Instead, we have reviewed the issue and put compensating controls or other mitigations in place to reduce the actual exposure.

We would like a new acknowledgement reason such as “Mitigated” to represent this scenario.

This would allow us to clearly distinguish between:

-False Positive, the finding is not valid or not exploitable.
-Acceptable Risk, we understand the risk and are choosing to accept it.
-Mitigated, the finding may still appear in scans, but controls are in place to reduce or address the risk.