Next-Gen App & Browser Testing Cloud
Trusted by 2 Mn+ QAs & Devs to accelerate their release cycles

Master the bug life cycle stage by stage. Learn severity vs priority, P1-P3 classification, bug report templates, and how cloud testing shortens fix time.

Nazneen Ahmad
Author
June 30, 2026
On This Page
The bug life cycle is the path a defect takes from log to close. Each state has one owner and one next step. Without that structure, bugs sit in the backlog until a customer hits them in production.
This guide covers the 9 stages, the 7 alternate states, how to write a bug report that does not bounce, and how cloud testing shortens fix time.
TL;DR
A bug is software behaving in a way it was not designed to, caused by anything from a misread requirement to a missing line of code. QA teams also call bugs "defects", and this guide uses the terms interchangeably.
Bugs can enter at any point in the Software Development Life Cycle, and dynamic testing only catches the ones that fail at runtime.
The bug life cycle, also called the defect life cycle, is the workflow a defect follows from discovery to closure. It starts the moment a tester logs the issue and ends only when a verifier confirms the fix and the defect cannot reproduce. Each state in the cycle has a specific owner, a defined entry condition, and a defined exit condition, which is what makes the cycle auditable.

Three related terms get used interchangeably and shouldn't be. They describe different scopes.
In short, the bug life cycle is the workflow, the bug tracking life cycle is the platform that runs it, and the bug report life cycle is the artifact it produces. The rest of this guide focuses on the bug life cycle proper, with the tracking-level concerns covered in the continuous improvement section.
The stages of the bug life cycle walk a defect from discovery to closure. Below are the 9 core states every team uses, followed by 7 additional states that handle edge cases. Tool conventions vary (Jira calls "Open" "In Progress"; some teams collapse Pending Retest into Retest) but the workflow logic is the same.
Some teams describe the bug life cycle in phases, others in stages; the terms are used interchangeably. A common grouping bundles the 9 stages into 3 phases:

Phases are useful for high-level reporting ("how many bugs are in the resolution phase this sprint?"); stages are what the tracker actually transitions through.
The first state in the cycle. The tester finds an issue during software testing, captures reproduction steps, environment details, and severity, and logs the report. New means "discovered and documented, but no developer has looked at it yet."
The test lead or triage committee approves the report and assigns it to a developer or development team. The bug now has a named owner and a target sprint.
The developer accepts the bug, reproduces it locally, and begins root-cause analysis. If during this stage the developer determines the report is invalid, a duplicate, or not worth fixing now, the bug moves to one of the alternate states (Rejected, Duplicate, Deferred) instead of progressing.
The developer has changed the code, run unit tests, and pushed the fix to a build the tester can validate. Fixed is a developer-side state; the QA team has not yet confirmed the resolution.
The fix is ready but the tester has not yet started validating it. Common reason: the build is queued behind other regression work. Tracking this state separately is useful because it surfaces fixes that are stuck waiting on test capacity, not on code.
The tester runs the original reproduction steps against the new build. The job is twofold: confirm the original bug no longer reproduces, and confirm the fix did not break adjacent functionality. Retesting and regression testing are different passes and should both run before close.
During Retest the tester finds the bug still reproduces, or a new bug surfaced because of the fix. The bug returns to Open and the cycle repeats. Repeated Reopens for the same bug are a strong signal that the root cause is not yet understood; consider a code review with senior engineers before the next attempt.
Retest passed. The tester confirms the bug is resolved on the target build and the regression check is clean. For a defect that first surfaced in a specific browser, that confirmation should cover every affected browser, not only the one the fix was coded in, which is where confirmation testing across browsers comes in.
The release or project manager marks the bug Closed once it has shipped in a release or is confirmed resolved in production. Closed is the only terminal state for a successful fix; it locks the audit trail and removes the bug from the active queue.
Defects do not always follow the happy path. Seven additional states handle the edge cases:
The cycle is owned by two main roles, the tester and the developer, but a healthy workflow names four to six participants so handoffs are unambiguous:
In larger organizations, a Department Head or CTO joins the triage call for P1 defects that touch compliance, security, or customer-impact thresholds. The principle stays the same: every state transition has a named owner, and the tool enforces the handoff. Defect management and bug triaging guides cover the responsibilities in more depth.
Most bug reports carry three labels that get confused with each other. Status is where the bug sits in the life cycle (New, Open, Fixed, Closed). Severity measures how badly the defect affects the application. Priority measures how urgently the team must fix it. A login outage on production is High severity and P1 priority. A typo in a footer is Low severity but can still be P1 priority if it is the company name on the homepage.
| Label | What it measures | Who decides | Typical values |
|---|---|---|---|
| Status | Position in the life cycle workflow | Tracking tool transitions | New, Assigned, Open, Fixed, Retest, Verified, Closed |
| Severity | Functional impact on the user or system | QA or test lead | Critical (S1), Major (S2), Minor (S3), Cosmetic (S4) |
| Priority | Urgency to fix relative to release schedule | Product owner or triage committee | P1 (immediate), P2 (next sprint), P3 (backlog) |
The two scales decouple because the business impact of a defect is not always proportional to its technical impact. A crash that affects 0.1% of users may be S1 severity but only P2 priority because the fix carries high regression risk. Triage assigns priority; the tester assigns severity at log time.
Some teams add P0 (production-down, all-hands incident) above P1. Whichever scheme you use, the rule is to write the definitions into the team's testing charter so every triager applies them the same way.
Even a well-defined cycle hits friction. The patterns below show up in nearly every team, regardless of size or tooling. Recognizing them is half the fix.
Below are the practices that fix the failure modes above. They are cheap to adopt and compound across sprints.
Not every bug deserves a P1 ticket and an all-hands page. A working life cycle relies on team-wide agreement about what crosses the bar for "critical." The criteria below are what most engineering teams use to decide whether a defect deserves emergency handling, in rough order of weight.
Document these criteria in the team's testing charter and review them every quarter. Without a written bar, "critical" drifts to mean whatever the loudest stakeholder says it means, and the bug life cycle loses its prioritization signal.
A bug life cycle that stays the same year after year is broken. Continuous improvement of the cycle itself is what separates teams that ship faster bug fixes each quarter from teams that wonder why every release feels harder than the last. Three practices drive most of the gains.
The other half of continuous improvement is the tooling you run the cycle on. The right tracker enforces the workflow, surfaces aging bugs, and integrates with the test runner so logging a defect takes a single click.
A bug tracker is the system of record for the cycle. The right tool depends on team size, framework integration, and how much workflow customization you need. The four below cover the common ground from startups to enterprise.
| Tool | Best for | Notable strength |
|---|---|---|
| Jira | Agile teams, enterprise workflows | Custom workflows per project; deep integrations with CI/CD and source control |
| Bugzilla | Open-source projects, self-hosting | Free, mature, configurable email notifications and dependency tracking |
| Zoho BugTracker | Small to mid teams using Zoho suite | Custom fields, built-in analytics, low-friction setup |
| GitHub Issues | Open-source and dev-led teams | Tight code linkage, free for public repos, low overhead |
Whichever tracker you pick, the test runner should push bug context into it automatically. Manual copy-paste of session details is where bug-handling time leaks. The test tool guide goes deeper on tracker selection criteria.
Jira is the most common tracker for the bug life cycle in enterprise teams, but the default Jira workflow uses fewer statuses than the 9-stage canonical model. Most teams customize the Bug issue type with a workflow that maps directly to the stages above. A typical mapping:
| Canonical stage | Jira status | Transition trigger |
|---|---|---|
| New | To Do | Tester creates issue with Bug type |
| Assigned | Selected for Development | Triage sets Assignee and Priority |
| Open | In Progress | Developer starts the fix |
| Fixed / Pending Retest | In Review | Pull request linked, awaiting QA |
| Retest | QA Testing | Tester picks up the build |
| Reopened | Reopened | Retest failed, routes back to In Progress |
| Verified / Closed | Done | QA verifies + release manager closes |
Two Jira features make this workflow run cleanly:
status = "In Review" AND updated < -3d AND priority in (P1, P2) surfaces bugs waiting on QA for more than 3 days, which is the most common stall point.Pair the Jira workflow with cloud test sessions and the bug ticket arrives pre-filled with reproduction video, console logs, network HAR, and device metadata. The bug-tracking integrations docs walk through the one-click setup for Jira specifically.
The states are identical whether the bug was found by an automation run or by a tester clicking through the application. What changes in manual testing is the evidence trail: there is no auto-generated session video, no console.log dump, no network HAR file unless the tester captures them deliberately. That puts more weight on the report itself.
A typical manual-testing pass through the cycle looks like this:
The biggest manual-testing failure mode is the Reopened-Closed-Reopened thrash: a bug is fixed, retested as Verified on an emulator, closed in the build, then a customer hits it on a real device. Running manual exploratory sessions on a real device cloud avoids the emulator-vs-real-device gap and pairs each manual session with capture artifacts automatically, so the manual report carries the same evidence quality as an automation run.
The 9 canonical stages apply to mobile app bugs the same way they apply to web defects, but three things change in the mobile workflow and they all push fix-time up if you ignore them.
Two stages need extra attention for mobile apps:
TestMu AI runs Appium, Espresso, and XCUITest suites on 10,000+ real iOS and Android devices in the cloud, automatically capturing crash logs, device logs, video, and network traffic for every session. Bugs logged from these sessions arrive in Jira or your tracker of choice with all the artifacts a mobile developer needs to reproduce on the first attempt, which eliminates most Non-Reproducible bounces.
TestMu AI helps you perform manual and automation testing of websites and mobile apps on 10,000+ real desktop and mobile devices across every major OS and browser combination. It provides debugging options that not only help with testing but also assist in debugging your software application. Here are some of them:
To try one-click bug logging in automation testing, see the Mark as Bug in Automation Testing doc.
A working bug life cycle is the highest-leverage quality investment a team can make. To put it into practice this week:
When every state has a name, an owner, and an SLA, bugs stop leaking into production.
Note: This article was researched and drafted with AI assistance, then reviewed, fact-checked, and published by Nazneen Ahmad, Community Contributor at TestMu AI, whose listed expertise includes Software Testing and Automation Testing. Every link and product claim was verified against the live source. Read our editorial process and AI use policy for details.
Author
Nazneen Ahmad is a freelance Technical Content SEO Writer with over 6 years of experience in crafting high ranking content on software testing, web development, and medical case studies. She has written 60+ technical blogs, including 50+ top-ranking articles focused on software testing and web development. Certified in Automation Basic and Advanced Training - XO 10, she blends subject knowledge with SEO strategies to create user focused, authoritative content. Over time, she has shifted from quick, keyword-heavy drafts to producing content that prioritizes user intent, readability, and topical authority to deliver lasting value.
Did you find this page helpful?
More Related Blogs
TestMu AI forEnterprise
Get access to solutions built on Enterprise
grade security, privacy, & compliance