← Back to Research
Research19 min read

Vulnerability Programme Data Model: Finding Record Design

Every dashboard, every audit citation, every SLA, and every leadership view a vulnerability programme produces is a projection of the underlying finding record. Programmes that design the record schema deliberately have a defensible operating model and can change reporting, calibration, and policy without rewriting the data store. Programmes that adopt whatever schema the first tool brought in inherit the constraints of that tool and run the programme against assumptions they did not choose. The leverage in vulnerability programme operations sits at the record-design layer, not the dashboard layer.1,2,15,17,23

This research covers how a defensible vulnerability finding record is actually designed across enterprise security and AppSec programmes. It names the seven field classes a finding record must carry (identity, description, severity, classification, status, accountability, provenance), the three identifier strategies (per-capture, per-instance, per-issue) with their trade-offs, the asset-binding patterns that determine whether ownership routing resolves deterministically, the structured state enumeration that supports SLA reporting, the override and exception schema that keeps three classes of decision distinguishable, the activity log discipline that makes the chain of state transitions auditable, the multi-source ingest patterns that absorb scanner output without losing source context, the CVSS vector capture that preserves severity rationale, the evidence and document relationship that keeps the finding entity bounded, and the framework citations (SOC 2 CC4.1 and CC7.1 and CC9.1, ISO 27001 A.8.8 and A.5.4, PCI DSS 6.3.1 and 6.3.3 and 11.3, NIST SP 800-53 RA-5 and SI-2, NIST CSF 2.0 GV.RR and ID.RA and RS.MA, CIS Controls v8.1 safeguard 7) that read against the record discipline.3,4,5,6,7,8,9,11,12,13

Why the data model is the leverage point

Vulnerability programme leadership reviews dashboards, but the dashboard is a derivative of the underlying record. Every number on the leadership view (open finding count, severity distribution, mean time to remediate, SLA compliance rate, audit citation density) reads against the structured record on the operating store. If the record does not carry the field, the dashboard cannot show it; if the field is mutable when it should be immutable, the historical view is unreliable; if the relationship is implicit rather than explicit, the audit citation has to make assumptions. Programmes that improve reporting without improving the record are reorganising a view of unchanged data.1,3,23

The same logic applies to every operational discipline downstream of capture. Triage cadence reads the severity band and the CVSS vector. Ownership routing reads the asset binding. SLA cadence reads the immutable created-at timestamp and the status transition events. Audit citation reads the named accountability and the chain of activity events. Remediation throughput reads the state lifecycle and the resolved-at timestamp. Reopen rate reads the prior-state field and the verified-at timestamp. Every discipline is downstream of the record schema, which means improving any discipline requires the record to carry the field the discipline reads.

Designing the record well at the start is structurally easier than retrofitting fields after the operating model has accumulated historical data under the wrong schema. The retrofitting path requires backfilling missing fields, reconciling mutable history, and rewriting reporting; the deliberate-design path requires the programme to think through the eight design decisions covered in this research before the first finding lands on the record. The cost of deliberate design is a one-time exercise; the cost of retrofitting is a recurring tax on every change for the life of the programme.

The seven field classes a finding record carries

A defensible finding record carries seven field classes. Each class supports a downstream operational discipline; skipping a class loses the discipline that class supports. The table below names the field class, the fields that belong to it, and the downstream discipline that reads it.1,2,3,8

Field classFieldsDiscipline that reads it
IdentityWorkspace identifier, engagement identifier, source identifier, finding identifier, finding template identifier.Deduplication discipline, recurring-detection match logic, tenant isolation, cross-engagement search.
DescriptionTitle, description, affected asset, remediation guidance, client notes, consultant notes.Engineer-readable evidence package, finding translation discipline, retest preparation.
SeveritySeverity band (enumeration), CVSS score, CVSS vector, optional temporal and environmental modifiers.SLA prioritisation, leadership reporting, severity override decision, audit citation.
ClassificationCategory, control reference, CWE identifier, CVE identifier, EPSS score where available.Audit framework crosswalk, threat intelligence enrichment, secure-code training routing, KEV cross-reference.
StatusCurrent state (enumeration), prior state, transition reason, transition-by reference, transition-at timestamp.Remediation throughput reporting, SLA compliance reading, reopen rate measurement, state machine enforcement.
AccountabilityNamed owner reference, role-based access reference, notification channel reference.Routing primitive resolution, handoff cadence measurement, audit citation for response management, escalation discipline.
ProvenanceImmutable created-at timestamp, last-updated timestamp, resolved-at timestamp, verified-at timestamp, scan execution reference, document references for evidence.Audit trail reconstruction, handoff and remediation latency measurement, evidence chain regeneration, historical reporting.

The pattern across the seven classes is that each field exists to support a named operational discipline. Programmes that adopt a record with five classes (skipping accountability and provenance most commonly) end up reading those disciplines from comments, informal notes, or external systems that diverge from the workspace record. The deliberate-design exercise is to confirm each class is captured and to resist the urge to add bespoke fields the programme does not yet have a discipline for. The record carries the fields the disciplines actually read; bespoke fields without a discipline accumulate as schema debt.

Three finding identifier strategies

The finding identifier strategy is the decision the programme makes about what makes two captures the same finding versus two different findings. Three patterns recur across enterprise programmes, each with a different operational character.2,15,25

Per-capture identifier

Every scan run that detects an issue produces a new finding with its own identifier. The same underlying vulnerability across two scans is two records, joined later by deduplication discipline if at all. The strategy is the simplest to write because the intake path runs without merge logic, but it is the hardest to operate because the open-finding count overstates the true issue volume, the routing primitive sees the same finding repeatedly, and the engineering side faces a backlog that is structurally inflated. Programmes that operate per-capture should pair the strategy with a strong downstream deduplication pipeline and report open-finding counts decomposed by unique-issue versus capture-instance.

Per-instance identifier (the workspace pattern most enterprise programmes converge on)

Every (workspace, finding template, target) tuple is one identifier. The same template detected on the same target across many scans is one record whose state advances; a fresh detection on a different target is a different identifier; two templates on the same target are two identifiers. The merge logic runs deterministically on tuple match at scan intake, the open-finding count reads consistently across scans, and the recurring-detection logic compares against the same tuple without ambiguity. Per-instance is the compromise most enterprise programmes adopt because it preserves the operational granularity of the asset binding while collapsing the cross-scan noise that per-capture would inflate.

Per-issue identifier

Every underlying issue gets one identifier across all detections, all targets, all scans, all sources. Merge is enforced at intake using semantic similarity on the finding content, the CWE classification, the CVE reference, or the vendor-specific signal. The strategy produces the cleanest reporting model because the open-finding count reads against unique issues directly, but it is the hardest to write because the merge logic must run before record creation, the similarity signal can be ambiguous (two findings with the same CWE on different targets may or may not be the same underlying issue depending on programme convention), and the operational rollback path on a merge mistake is expensive. Programmes that adopt per-issue usually start from the per-instance pattern and converge issues through an explicit merge workflow rather than enforcing it at intake.

The choice is consequential because it propagates to every downstream report. A programme that runs per-capture and a programme that runs per-instance can produce very different open-finding counts for the same underlying portfolio, and comparing the two programmes side by side requires normalising the metric to the unique-issue dimension. The deduplication economics research covers the operational cost of running the deduplication discipline downstream of a per-capture strategy; the per-instance strategy collapses much of that cost into the record schema itself.

Asset binding patterns

The asset binding is the field that ties the finding to the operational system or component the engineering team owns. The binding determines whether the ownership routing primitive resolves to a named candidate deterministically or has to fall back to a manual triage queue. Three patterns recur, each with a different operational character.3,11,22,24

Binding patternHow it worksTrade-off
Free-text affected assetThe field is a string the scanner emitted. The binding is human-readable.The routing primitive cannot resolve the binding deterministically; ownership is inferred at triage time by the named user.
Foreign key to a workspace asset recordThe finding references a versioned record on the asset side (verified domain identifier for external and authenticated scans, connected repository identifier for code scans, image digest for container scans).The binding is structured; the routing primitive resolves through the foreign key; the audit citation reads from a single internal record.
External asset registry referenceThe finding carries an identifier from a separate CMDB or asset inventory; the binding requires the external system to remain authoritative.Divergence between the programme record and the registry produces unresolved findings; the audit citation reads across two records and requires reconciliation.

The structured foreign-key pattern is the cleanest model for an internally-operated programme. It keeps the binding inside the workspace, the resolution discipline runs deterministically, and the audit citation reads from a single record. Programmes that mix patterns (some findings on free-text, some on foreign-key) lose the structural advantage and have to write the resolution logic at every reporting query. The mixed-pattern programme usually accumulates as the programme grows from a single scanner to a multi-tool stack without revisiting the binding schema; the remediation is the discipline of resolving free-text bindings to structured asset references on cadence, and the recurring-detection logic against the same target tuple keeps the resolution stable.

For multi-scanner programmes the binding discipline interacts with the cross-scanner identifier reconciliation discipline covered in the scanner output normalised asset resolution guide; the binding pattern is the workspace-internal schema decision and the normalised-resolution discipline is the layer above that reconciles divergent scanner identifiers to the same internal binding. The two layers operate together; neither substitutes for the other.

The structured state enumeration

The state enumeration is the structured set of values the finding status field can hold and the rules that govern transitions between them. A minimal enumeration is four states. A compliance-control programme extends the set to cover control assessment outcomes alongside the vulnerability remediation chain.1,3,4,5,6

StateMeaningCommon transition
openThe finding is captured and not yet acted on. The default state at intake.open to in_progress (when a named owner picks up the finding) or open to resolved through override (when the finding is closed as false positive or accepted risk).
in_progressA named owner is working the finding. Triage decision made, remediation underway.in_progress to resolved (when engineering ships the fix) or in_progress to reopened (when triage discovers the finding cannot be remediated under the current architecture and re-routes to design).
resolvedThe engineering side has shipped the fix. The finding is awaiting verification through retest.resolved to verified (when retest passes) or resolved to reopened (when retest fails or the fix regresses).
verifiedThe security side has confirmed the fix with retest evidence. The finding is closed.verified to reopened (when a subsequent scan detects the same finding on the same target, indicating regression).
reopenedA previously closed finding has been detected again or has failed verification.reopened to in_progress (when the named owner re-engages the remediation work).
Control-state set (compliance findings)compliant, non_compliant, not_applicable, not_assessed, implemented, partially_implemented, not_implemented, effective, ineffective, not_tested.Control assessment transitions per audit cadence; parallel chain to the vulnerability remediation states above.

The transition rules name which states can move to which (open to in_progress to resolved to verified is the canonical chain; reopened can move back to in_progress; resolved cannot skip directly to verified without retest evidence). The transition reason field captures why each move happened (auto-resolved by scan diff against the override record, manually advanced by named user, retest passed, retest failed, exception accepted) so the chain reads as a defensible cadence on the activity log rather than as an inferred timeline. Programmes that operate without a structured enumeration end up with strings that mean different things in different places (resolved versus closed versus fixed versus done) and the dashboard has to map across the variants at every query.

The structured state enumeration also defines the SLA boundary. The handoff segment covered in the security engineering handoff latency research sits between open and in_progress. The triage segment sits between in_progress and resolved. The verification segment sits between resolved and verified. The reopen rate measures the transition from verified back to reopened. Each segment is measurable only because the state enumeration carries the structured boundary; programmes that bundle states into an open and closed flag lose all of the per-segment signal.

Override and exception schema

Overrides and exceptions are structured decisions the programme records against the finding rather than free-text annotations on the description. The three override classes carry different audit weight and should remain distinguishable on the record.1,4,5,6,13,18

False positive

The scanner detected the issue but the underlying vulnerability is not present after manual validation. The programme records the false-positive decision so the next recurring detection on the same (workspace, finding template, target) tuple inherits the disposition rather than re-triaging the same noise. The record carries the rationale (why the validation showed the finding is not real), the named creator (the security operations user who validated), and the created-at timestamp. The audit citation reads against the rationale and the chain of evidence the validation rested on.

Accepted risk

The underlying vulnerability is real but the programme has accepted the residual risk under documented rationale, named approver, and (where the programme operates a renewal cadence) expiry. The acceptance carries forward until the expiry triggers re-evaluation or until a significant change (scope, severity, threat intelligence, compensating control degradation) requires the acceptance to be revisited. The record carries the acceptance rationale, the named approver, the created-at timestamp, the original severity preserved, and any compensating-control references. The audit citation reads against the rationale, the approver authority, and the renewal discipline.

Severity override

The scanner severity does not match the workspace calibration after environmental modifier application. The original severity is preserved alongside the override severity so the audit citation reads against both; the workspace calibration rationale is captured in the reason field. Severity overrides are common in mature programmes that apply consistent CVSS environmental modifiers across their portfolio; the scanner-emitted severity reflects the generic base score and the workspace override reflects the actual environmental impact. The audit citation reads against the rationale, the preserved original, the new band, and the named approver.

The override record is keyed to the (workspace, finding, target) tuple so that recurring detection logic on the next scan can match the override and carry the disposition forward without re-triage. Programmes that collapse the three classes into a single suppression flag lose the ability to distinguish noise reduction (false positive) from accepted risk (which carries an audit citation) from severity calibration (which preserves the rationale). The three classes pair with the structured override workflow covered on the finding overrides feature page and with the programme-side workflow on the vulnerability acceptance and exception management workflow.

Activity log discipline

The activity log is the chronological record of every state transition, ownership change, severity change, override decision, comment, and document attachment that touches the finding. The log is separate from the finding entity itself because the finding holds the current state while the log holds the chain of how the state arrived. The log is append-only; once written, the entry does not change.1,3,4,5,19

Fields the activity log carries per event

  • Workspace reference. The tenant the event belongs to, so the log is isolated under row-level security.
  • Actor reference. The named workspace user who initiated the event, resolved through the user identity store so the audit citation reads against a named individual rather than a service account.
  • Action verb. The structured action that fired (finding_created, status_changed, severity_overridden, owner_reassigned, comment_added, document_attached, retest_passed, retest_failed, exception_accepted, exception_expired).
  • Entity type and identifier. The structured reference to the finding the event applies to (or the override, or the document, or the retest).
  • Structured metadata. The before-and-after snapshot of the changed field (the prior severity and the new severity on a severity change; the prior owner and the new owner on an owner reassignment; the prior status and the new status on a state transition).
  • Immutable created-at timestamp. The moment the event landed on the log, preserved at write time and not updated thereafter.

The audit query and the reporting query both read against the log rather than against the current state of the finding. The current state shows where the finding sits today; the log shows how it got there, when each transition happened, who initiated each transition, and what context was attached. Programmes that store activity in a mutable field on the finding (a notes column updated in place) lose the chronology and have to reconstruct it from version-control history of the column. Programmes that store activity in an append-only log can regenerate any historical view of the finding at any moment and the audit citation reads against the chain rather than against the current snapshot.

The log discipline also supports the latency-decomposition metrics. Handoff latency reads against the difference between finding_created and the first owner_assigned event for a named user. Triage latency reads against the difference between owner_assigned and the status_changed-to-in_progress event. Verification latency reads against the difference between status_changed-to-resolved and the retest_passed event. None of these metrics are computable without the structured log.

Multi-source ingest patterns

Enterprise programmes ingest findings from many sources: native scanners on the platform (external scans, authenticated scans, code scans), third-party scanner output (Nessus, Burp, Qualys, Acunetix, Snyk, OWASP ZAP), manual penetration test results, third-party security report intake, customer-reported issues, bug bounty disclosure, internal red team findings, supplier advisories. The data model has to absorb every source into the same record schema without losing the source-specific context.2,7,11,12,21

Source field on the finding record

Every finding carries a source identifier so the reporting query can decompose open-finding counts and remediation throughput by source. The decomposition surfaces structural signal: if one source produces ten times more findings than the others without producing ten times more remediated outcomes, the source is producing noise the programme is carrying as backlog. The decomposition also informs deduplication priority: when two sources detect the same underlying issue, the programme can prefer the higher-confidence source by policy rather than by intake order.

Column-mapping discipline at intake

The import path captures the source-emitted fields and maps them deterministically to the workspace schema (source title to finding title, source severity to severity band after normalisation, source asset reference to affected_asset binding through the resolution discipline, source CVSS vector to the CVSS vector field where the source provides one). The mapping is reusable across imports of the same source, so the second Nessus import maps the same way as the first; the determinism is what allows the recurring-detection logic to work across imports.

Source-specific finding template library

A library of finding templates with stable identifiers per underlying issue class supports the per-instance identifier strategy. When the same template is detected by two sources on the same target, the workspace can deduplicate at intake rather than running a downstream merge sweep. The library approach pairs cleanly with the per-instance identifier strategy because the template identifier becomes the merge key alongside the workspace and the target.

The bulk import workflow that operates the column mapping is one of the highest-leverage capabilities in a multi-source programme because it determines whether a Nessus finding and a Burp finding for the same underlying vulnerability collapse to one record or sit as two unresolved duplicates. The bulk finding import feature covers the operational surface; the data-model decision is whether the workspace treats third-party output as first-class findings on the same schema or as second-class attachments on a separate import log.

CVSS vector capture and severity rationale

Severity carries three pieces of information on a defensible record: the severity band (the enumeration the programme operates against), the CVSS score (the numerical rating), and the CVSS vector (the structured rationale). The vector is the audit-grade artefact because it names the eight base metrics and supports the optional temporal and environmental modifiers. Without the vector, the score is a number with no rationale; with the vector, the score reads as the consequence of named operational assumptions that the workspace can challenge during triage.8,9,10,13

FieldWhat it capturesWhat downstream reads it
Severity band (enumeration)Critical, high, medium, low, info; the programme operating value.SLA cadence, leadership reporting, routing primitive prioritisation.
CVSS score (numeric)Decimal between 0.0 and 10.0; the rating that maps to the band under the workspace calibration.Severity calibration audit, threshold-based reporting, portfolio risk aggregation.
CVSS vector (string)Structured rationale: attack vector, attack complexity, privileges required, user interaction, scope, confidentiality, integrity, availability; optional temporal and environmental modifiers.Severity override decision, environmental modifier application, re-derivation of the band on context change, audit citation for severity rationale.

Programmes that record only the band lose the rationale; programmes that record the band and the score lose the operational context; programmes that record band, score, and vector retain the full chain and can re-derive the band when the environmental modifier changes. The severity override discipline operates against this chain: the override preserves the original vector and the original band, names the new band, and records the rationale, so the audit citation can read both. Where the programme adopts a successor scoring system (CVSS 4.0 for new findings while retaining CVSS 3.1 for legacy findings), the vector field carries both versions through the transition and the score field reads as the appropriate version per finding.

Evidence and document relationships

Evidence on a finding is the artefact that proves the finding exists, the artefact that supports the severity rationale, the artefact that captures the reproduction steps, the artefact that documents the fix, and the artefact that supports the retest result. The data model holds evidence as a relationship to a document entity rather than as an embedded blob on the finding. Evidence accumulates over the finding lifecycle and embedding it on the finding entity makes the record unbounded in size.1,4,5,15

The document entity carries the workspace reference, the engagement reference, the file path, the file size, the mime type, the uploaded-by reference, and the created-at timestamp; the relationship to the finding is through a finding identifier on the document or through a join table that supports many-to-many evidence sharing. The pattern keeps the finding entity light, supports the audit query that reads against named evidence by class, and preserves the chronological order of evidence accumulation. Programmes that embed evidence as free-text in the description lose the structural advantage and have to parse the description to identify evidence by class at audit time.

For multi-audit programmes, the document-evidence pattern also supports the evidence-reuse discipline covered in the vulnerability evidence reuse across audits research; a structured document store lets the same scan output, retest log, or remediation evidence cite across SOC 2, ISO 27001, PCI DSS, and NIST audits without re-collection. The data-model decision is whether the workspace treats the document store as first-class infrastructure paired to findings or as a separate artefact pool referenced loosely through descriptions.

How frameworks read the record discipline

Audit frameworks do not name the data model directly. They do read the underlying disciplines that produce a defensible record: named accountability, timestamped state transitions, ranked severity, structured evidence, defined remediation cadence, and response management with assigned roles. The citations below name the relevant control surfaces.3,4,5,6,7,16

FrameworkRelevant controlRecord discipline the audit reads against
ISO 27001:2022Annex A.8.8 Technical Vulnerabilities; A.5.4 Management Responsibilities; A.5.7 Threat IntelligenceDefined process for handling technical vulnerabilities with assigned responsibilities; the audit reads against a chain of identified, evaluated, and remediated findings with named owners and structured severity.
SOC 2 (TSC 2017 with 2022 revisions)CC4.1 Monitoring of Controls; CC7.1 System Operations Monitoring; CC9.1 Risk Mitigation; CC2.1 CommunicationMonitoring and remediation of system vulnerabilities with documented responsibilities; the audit reads against the chain of detection, assignment, remediation, and verification events on the operating record.
PCI DSS v4.0Requirement 6.3.1 Vulnerability Identification; 6.3.3 Vulnerability Rankings and Remediation; 11.3 External and Internal ScanningVulnerabilities identified, ranked, addressed by the appropriate party in a defined timeframe; the audit reads against the defined cadence, named accountability, and severity ranking rationale.
NIST SP 800-53 Rev. 5RA-5 Vulnerability Monitoring and Scanning; SI-2 Flaw Remediation; CA-7 Continuous Monitoring; AU-2 Event LoggingVulnerabilities scanned, ranked, and remediated with named responsibilities and a defensible event log; the audit reads against the chain of detection, assignment, remediation, verification, and the activity log.
NIST CSF 2.0GV.RR Governance Roles and Responsibilities; ID.RA Risk Assessment; RS.MA Response ManagementRoles, responsibilities, risk assessment, and response management; the audit reads against the discipline of assigned response on each identified finding with structured severity rationale.
CIS Controls v8.1Safeguard 7.1 Establish and Maintain a Vulnerability Management Process; 7.2 Establish and Maintain a Remediation ProcessProcess for handling vulnerabilities with assigned responsibility, severity ranking, and defined remediation cadence; the audit reads against the structured record.
DORA (EU 2022/2554)Article 9 ICT Risk Management Framework; Article 17 ICT-Related Incident Management ProcessDefined risk-management process with assigned accountability; the audit reads against the operational cadence captured on the operating record and the structured event log.
OWASP SAMM v2.0Operations: Issue Management practice; Verification: Security Testing practiceMaturity model that reads against assignment cadence, response time, chain-of-state evidence on findings, and structured severity rationale.

Across the framework set, the audit reads against a chain of timestamped events with named accountability, structured severity, and documented evidence rather than against a single cycle-time number or an unstructured note. Programmes that design the record to carry the seven field classes produce stronger audit citations because the timeline reads as a defensible cadence with structured rationale rather than as a series of inferences. The audit evidence retention and disposal workflow covers the related discipline of how the chain of events is preserved for the audit lookback.

Eight design decisions for a defensible record

The instrumentation discipline below is the minimum required for a programme to operate the vulnerability record as a defensible audit-grade artefact. Programmes that miss any decision either cannot run the discipline at all or have to reconstruct it through manual spreadsheet effort at audit week.

  • Choose the identifier strategy deliberately. Per-capture, per-instance, or per-issue; the choice propagates to every downstream metric. Most enterprise programmes converge on per-instance because it preserves the operational granularity of the asset binding while collapsing cross-scan noise.
  • Adopt the structured asset binding pattern. Foreign key to a versioned workspace asset record; resist the free-text pattern even when the scanner output makes it tempting at intake. The structured binding is what makes the routing primitive resolve deterministically.
  • Define the state enumeration before the first finding lands. The minimal four-state chain plus reopened covers vulnerability remediation; the parallel control-state set covers compliance findings. Transition reasons are captured on the activity log.
  • Capture severity as band, score, and vector. The three together preserve the rationale, support the override discipline, and let the workspace re-derive the band when the environmental modifier changes.
  • Treat overrides as three distinct classes. False positive, accepted risk, and severity override carry different audit weight. The override record is keyed to the (workspace, finding, target) tuple so recurring detection carries the disposition forward without re-triage.
  • Operate an append-only activity log. Every state transition, ownership change, severity change, override decision, comment, and document attachment lands on the log with the actor reference, action verb, structured metadata, and immutable created-at timestamp. The log is the audit artefact.
  • Hold evidence as relationships to a document store. The document entity is separate from the finding entity; the relationship supports many-to-many evidence sharing across findings and audits.
  • Capture the source field on every finding. Multi-source ingest decomposes by source for reporting and deduplication; the column-mapping discipline at intake is reusable across imports of the same source.

How the engagement record carries the data model

The data model gets cleaner when the finding, the asset binding, the named owner, the override record, and the activity log live on the same engagement record the rest of the operational work lives on, rather than across a separate ticketing system that diverges from the security operating record after the next state change. The platform does not write the programme policy for the team; it does make the eight design decisions above operable from a single workspace.

SecPortal pairs every finding to a versioned engagement record through findings management. The findings table carries the workspace identifier, the engagement identifier, the title, the severity (a five-value enumeration: critical, high, medium, low, info), the status (a fifteen-value enumeration covering open through verified plus the parallel compliance-control state set), the description, the affected asset, the remediation guidance, the category, the control reference, the CVSS score, the CVSS vector, the resolved-at timestamp, the verified-at timestamp, and the immutable created-at timestamp. The schema implements the seven field classes described above.

The finding overrides feature holds the structured three-class override decision (false_positive, accepted_risk, severity_override) keyed to the (workspace, finding, target) tuple, preserves the original severity, names the override creator, and captures the reason and timestamps; the record survives every scan cycle so recurring detection inherits the disposition without re-triage.

The activity log with CSV export carries the append-only chronology of every state change, ownership reassignment, severity change, override decision, and document attachment by named actor with structured metadata; the log is what the audit query reads against rather than the current state of the finding alone. Team management with role-based access (owner, admin, member, viewer, billing) supplies the named owner reference and the actor identity store the log resolves against.

The asset binding uses structured foreign-key references for native scanners: verified domain identifiers for external scans and authenticated scans; connected repository identifiers for code scans. Third-party scanner output lands on the same schema through bulk finding import with reusable column mapping that preserves the deterministic ingest pattern across repeat imports from the same source. Document management supplies the structured evidence relationship paired to the finding. Engagement management groups findings, assets, evidence, and activity to a versioned engagement record so the per-engagement view of the data model reads consistently across reporting periods.

Honest scope. SecPortal does not synchronise the finding record to Jira, ServiceNow, Linear, Azure DevOps, or any external ticketing system; the operating record lives in the workspace and the data model is the workspace schema. The platform does not ship a built-in semantic similarity engine that automatically merges per-capture findings into per-issue identifiers; the workspace operates per-instance through the (workspace, finding template, target) tuple. The platform does not enforce engineering-side SLAs through external messaging integrations; the SLA discipline is the workspace policy paired with the activity log and the named-owner reference. The platform does not ship a built-in CMDB or asset inventory beyond the structured asset references for native scanners; programmes needing a wider asset registry land the resolved canonical reference into the affected_asset field at import time.

For internal security teams, the operating commitment is that the data model is opinionated, the seven field classes are captured by default, and the schema supports every downstream discipline (triage, ownership routing, SLA reporting, audit citation, evidence reuse). For vulnerability management teams, the value is that the per-instance identifier strategy, structured state enumeration, and append-only activity log decompose the remediation cycle into measurable segments without external integration. For AppSec teams and security engineering teams, the structured asset binding through verified domains and connected repositories means the routing primitive resolves deterministically. For GRC and compliance teams, the activity log carries the audit-grade chain of events with named accountability and structured severity rationale across SOC 2, ISO 27001, PCI DSS, NIST SP 800-53, NIST CSF 2.0, CIS Controls, and DORA citations. For CISOs and security operations leaders, the operating record is one schema across the programme rather than a federation of tool-specific records that diverge over time.

Conclusion

The vulnerability programme data model is the leverage point because every downstream discipline (triage, ownership routing, SLA cadence, audit citation, evidence reuse, leadership reporting) reads against the underlying record schema. Improving the dashboard without improving the record reorganises a view of unchanged data; improving the record automatically improves every downstream view. The deliberate-design exercise covers seven field classes (identity, description, severity, classification, status, accountability, provenance), three identifier strategies (per-capture, per-instance, per-issue), three asset-binding patterns (free-text, foreign key, external registry), a structured state enumeration with transition reasons, a three-class override schema, an append-only activity log, multi-source ingest with reusable column mapping, CVSS vector capture with band and score, and document-relationship evidence storage.1,3,8,15

Programmes that design the record well at the start carry a defensible operating model into every audit, every leadership review, and every policy change. Programmes that adopt whatever schema the first tool brought in inherit the constraints of that tool and run the programme against assumptions they did not choose. The data-model decision is one of the cheapest decisions to get right at the start and one of the most expensive to retrofit later. The platform you use does not have to write the data model for you. It does have to support the seven field classes, the eight design decisions, and the append-only activity log discipline on the same operating record the rest of the programme runs on.

Frequently Asked Questions

Sources

  1. NIST, SP 800-53 Revision 5: Security and Privacy Controls (RA-5 Vulnerability Monitoring and Scanning; SI-2 Flaw Remediation)
  2. NIST, SP 800-40 Revision 4: Guide to Enterprise Patch Management Planning
  3. NIST, Cybersecurity Framework (CSF) 2.0 with GV.RR Governance Roles and Responsibilities, ID.RA Risk Assessment, and RS.MA Response Management
  4. ISO/IEC, ISO 27001:2022 Annex A.8.8 Technical Vulnerabilities, A.5.4 Management Responsibilities, A.5.7 Threat Intelligence
  5. AICPA, SOC 2 Trust Services Criteria with CC4.1 Monitoring of Controls, CC7.1 System Operations Monitoring, CC9.1 Risk Mitigation
  6. PCI Security Standards Council, PCI DSS v4.0 Requirements 6.3.1 Vulnerability Identification, 6.3.3 Vulnerability Rankings and Remediation, 11.3 External and Internal Vulnerability Scanning
  7. CIS, Critical Security Controls v8.1 Safeguard 7 Continuous Vulnerability Management
  8. FIRST, Common Vulnerability Scoring System (CVSS) v3.1 Specification
  9. FIRST, Common Vulnerability Scoring System (CVSS) v4.0 Specification
  10. FIRST, Exploit Prediction Scoring System (EPSS)
  11. MITRE, Common Weakness Enumeration (CWE)
  12. MITRE, Common Vulnerabilities and Exposures (CVE)
  13. CISA, Stakeholder-Specific Vulnerability Categorization (SSVC) Decision Trees
  14. CISA, Known Exploited Vulnerabilities (KEV) Catalog and Binding Operational Directive 22-01
  15. OWASP, Software Assurance Maturity Model (SAMM) Issue Management practice
  16. European Union, Digital Operational Resilience Act (DORA) Article 9 ICT Risk Management Framework
  17. SecPortal, Findings Management
  18. SecPortal, Finding Overrides
  19. SecPortal, Activity Log
  20. SecPortal, Engagement Management
  21. SecPortal, Bulk Finding Import
  22. SecPortal Research, Security Engineering Handoff Latency
  23. SecPortal Research, Vulnerability Remediation Throughput
  24. SecPortal Research, Security Finding Ownership Decay
  25. SecPortal Research, Security Finding Deduplication Economics

Run the vulnerability programme on a deliberate data model

SecPortal ships an opinionated finding record schema for internal security teams: structured severity with CVSS vector, fifteen-value status enumeration, three-class override record, append-only activity log, and structured asset bindings paired to one versioned engagement record.

Start freeSee findings management