Internal vulnerability disclosure intake
a trusted front door for security reports that start inside the organisation

The internal security inbox is read by whoever is on the rota that week. Reports get acknowledged in email but never opened as findings; the email thread becomes the operational record by default. Three weeks later the original reporter follows up and nobody on the team can locate the report. The fix is opening every actionable internal report as a structured finding against the engagement record on the same day it arrives, so the operating queue is the canonical source rather than the inbox.

A developer reports a real vulnerability and hears nothing for two weeks. The reporter assumes the issue was ignored, escalates externally, and stops reporting internally. The fix is a documented acknowledgement window (typically twenty-four to seventy-two business hours) that runs on every channel, an automated or named-actor acknowledgement that the reporter sees with the assigned reference, and a quarterly review of acknowledgement latency by channel so the front door stays trusted.

The report enters as a finding against a vague target ("the staging environment") with no IP, no hostname, no repository, and no named owner. The finding stalls for two cycles because nobody is on the hook. The fix is the same intake discipline the broader queue uses: every internal-disclosure finding pairs to a real engagement, a named asset, and a named owner of record at the moment the security operator opens the record, with RBAC routing rules that push the new record to the right named person.

Two developers report the same misconfigured endpoint a day apart. Both reports open as separate findings. The triager spends an hour reconciling. Three months later an automated scan flags the same issue and it opens a third time. The fix is the same dedup-at-the-door discipline the broader intake runs: each internal-disclosure intake checks against the open catalogue for the same asset and the same finding template before opening a new record, and the activity log captures the merge decision.

An engineer marks their report as critical because the affected service is critical. A customer-success forwarded report comes in as low because the customer ticket was logged that way. Severity drifts across the queue and the prioritisation view becomes unsortable. The fix is severity normalisation at intake: the reporter-supplied severity is recorded as the source severity, the workspace severity policy applies the normalised severity against the calibration rule, and any override carries a named reason on the record.

A reporter raises an issue against a service that is not in scope for the security programme this quarter (a regional acquisition, a sunset product, a vendor-managed service). The report either lands on the queue and confuses the operating model or never lands at all. The fix is the explicit out-of-scope decision path: every internal-disclosure intake passes a scope check, in-scope reports land on the queue normally, out-of-scope reports land in an out-of-scope queue with a named decision owner who chooses one of three explicit paths (accept by opening a new engagement, defer with a documented rationale, close with a named reason).

The first event captured on the finding is the triage decision the security analyst recorded three days after the report. The chain of custody from report to triage is missing; the auditor reads the finding without knowing how it got onto the queue, who reported it, or which channel it came in through. The fix is stamping the activity log at intake with the source channel, the original reporter or reporter reference where anonymity protections apply, the source severity, the normalised severity, the asset binding, and the dedup decision, so the chronology is continuous from the first record through remediation, retest, and audit.

The named internal channel the report arrived through (security inbox, developer escalation, customer-success forwarded report, internal red team, bug bounty triage handoff, awareness exercise, compliance escalation, anonymous channel), the capture timestamp, the original source reference (email message ID, chat thread permalink, pull request URL, customer ticket reference, internal engagement ID, bounty case ID), and the source severity as recorded before any normalisation. The channel attribution survives into remediation and audit so the chronology is reconstructable rather than rebuilt from memory.

The named internal reporter where the channel governance permits identification, or the reporter reference where anonymity protections apply (anonymous-channel ID, customer-handle pseudonym from the bug bounty platform). The acknowledgement policy that applies to the channel (the window, the medium, the named acknowledger), and the timestamp of the acknowledgement that the reporter received. The acknowledgement record is part of the finding rather than a separate email so the audit reads the closed loop on the front door.

The engagement reference, the target asset (hostname, IP, repository, application service, mobile app, internal tool, business process where the finding is process-shaped rather than asset-shaped), and the named owner of record under the workspace RBAC. The owner of record is the person on the hook for the finding through remediation; the engagement reference is the planning context the finding sits inside. Both are captured at intake so the finding does not stall waiting for a routing decision.

The reporter-supplied severity where one was given, the normalised severity that the workspace operates against, the CVSS 3.1 vector and base score where the security operator can construct one at intake or where the source supplied a vector, and the named reason for any override of the auto-calculated severity. The normalisation policy is a workspace decision; the override reason makes the decision auditable for the next reader.

The evidence the next reader needs to triage and remediate: the original report body, attached screenshots, the reproduction steps where the reporter supplied them, the affected URL or endpoint, the affected repository and commit SHA for code-side reports, the customer ticket excerpt for forwarded reports, and any redacted detail where anonymity policy requires redaction. Document management holds the original artefacts as versioned attachments cited by the finding rather than re-authored on the record.

The result of the dedup check against the open catalogue (new record, merged into existing finding ID, suppressed against an active workspace suppression), the result of the exception match against the workspace exception register (no match, matches accepted risk reference, matches deferral reference, matches false-positive suppression), and the named actor and timestamp for each decision. The intake decisions are queryable so the next operator does not re-litigate them.