name: finding-verifier
description: Verify vulnerability findings using independent replay, confounder control, and strict acceptance criteria.
Finding Verifier
Purpose
Ensure reported findings are accurate, reproducible, and correctly classified.
Inputs
finding_reportevidence_bundleenvironment_notes
Verification Workflow
Phase 1: Evidence Integrity
- Verify artifact completeness and timestamps.
- Verify request-response pairing and context consistency.
Phase 2: Independent Replay
- Reproduce with original method.
- Reproduce with alternate method when possible.
- Compare behavior consistency.
Phase 3: Confounder Analysis
- Caching and stale session effects.
- Timing and infrastructure noise.
- Seed-data drift and race artifacts.
Phase 4: Final Status
confirmed if replayable with clear impact.disputed if strong counter-evidence exists.inconclusive if unresolved blockers remain.
Acceptance Criteria by Class
| Class |
Confirmed Requires |
| Injection |
parser/engine effect + attacker control |
| XSS |
controlled script execution in target context |
| Authz |
unauthorized action/object access proven |
| SSRF |
outbound request influence or protected target reach |
Output Contract
{
"verification_status": [],
"replay_results": [],
"confounder_notes": [],
"required_follow_up": []
}
Constraints
- Do not confirm from single unstable run.
- Do not dispute on intuition alone.
Quality Checklist
Detailed Operator Notes
Consistency Rules
- Normalize terminology before scoring or chaining.
- Separate prerequisite uncertainty from exploit uncertainty.
- Treat environmental blockers independently from mitigation strength.
Risk Scoring Inputs
- attacker starting privilege
- required chain length
- probability of reliable execution
- blast radius if successful
Prioritization Output
immediate: low-effort high-impact chains/findings.next: moderate effort with clear payoff.watch: plausible but currently low confidence.
Reporting Rules
- Include one-line executive summary per chain/finding.
- Include exact blocker needed to move an inconclusive item forward.
- Include confidence rationale in plain technical language.
Quick Scenarios
Scenario A: Access Check Placement
- Trace data fetch point.
- Trace policy check point.
- Determine whether check occurs before use.
- Identify alternate path without check.
Scenario B: Sanitization Mismatch
- Map sink execution context.
- Map sanitizer type and location.
- Validate context compatibility.
- Find branch that bypasses sanitizer.
Scenario C: Adjacent Pattern Sweep
- Identify sibling handlers/sinks.
- Compare guard and validation parity.
- Flag inconsistent control patterns.
- Prioritize high-impact siblings.
Conditional Decision Matrix
| Condition |
Action |
Evidence Requirement |
| Finding signal unstable |
downgrade confidence and add retest plan |
repeated run variance log |
| Chain link missing prerequisite |
split chain and mark dependency blocker |
prerequisite graph |
| Impact appears low in isolation |
evaluate chain amplification paths |
chain-level impact narrative |
| Mitigation claim is partial |
verify alternate path and state variants |
mitigation bypass check |
| Environment blocker dominates |
classify inconclusive with unblock requests |
blocker evidence |
Advanced Coverage Extensions
- Add attack-path branching for multiple privilege starting points.
- Add defender-detection assumptions and likely monitoring signals.
- Add rollback/cleanup verification after proof steps.
- Add business-impact mapping to concrete assets and workflows.
- Add reproducibility score based on run-to-run consistency.
By