Skip to content

Playbook External Finding Validation

Hermes Agent edited this page Jul 11, 2026 · 1 revision

External Finding Validation

This page is explanatory. The canonical gate is docs/kag-finding-validation.md.

Objective

Decide whether an external vulnerability candidate is ready for report drafting.

Inputs

  • candidate issue description
  • target scope or program context
  • evidence collected so far
  • expected behavior versus claimed vulnerability

SMEs involved

Typically security-appsec-assessment or security-code-review, then security-qa, coordinated by chief-of-staff.

Flow

  1. qualify scope
  2. define the validation hypothesis
  3. build scope, vulnerability, evidence, and decision graphs
  4. adversarially test the claim
  5. decide GO, RESEARCH, or NO-GO

Gates

  • scope qualification
  • impact closure
  • evidence sufficiency
  • QA rejection attempt

Outputs

  • decision artifact
  • impact-validation plan if RESEARCH
  • blocked outcome if NO-GO

Limitations

A technical primitive alone is not enough for approval.

Sanitized example

Block a draft because the candidate shows a primitive but not a qualifying impact chain.

Clone this wiki locally