-
-
Notifications
You must be signed in to change notification settings - Fork 0
Playbook External Finding Validation
Hermes Agent edited this page Jul 11, 2026
·
1 revision
This page is explanatory. The canonical gate is
docs/kag-finding-validation.md.
Decide whether an external vulnerability candidate is ready for report drafting.
- candidate issue description
- target scope or program context
- evidence collected so far
- expected behavior versus claimed vulnerability
Typically security-appsec-assessment or security-code-review, then security-qa, coordinated by chief-of-staff.
- qualify scope
- define the validation hypothesis
- build scope, vulnerability, evidence, and decision graphs
- adversarially test the claim
- decide
GO,RESEARCH, orNO-GO
- scope qualification
- impact closure
- evidence sufficiency
- QA rejection attempt
- decision artifact
- impact-validation plan if
RESEARCH - blocked outcome if
NO-GO
A technical primitive alone is not enough for approval.
Block a draft because the candidate shows a primitive but not a qualifying impact chain.