Vulnerability fix verification
close findings on proof, not promises

A developer marks the ticket "Done" in the engineering system. The security workspace finding flips to closed. No re-test runs against the deployed surface; no proof artefact lands on the record. The next scheduled scan against the same target reopens the finding two weeks later. The audit reads a status change with no evidence and treats the close as unverified. The fix is requiring the verification status, the named verifier, and an evidence artefact before the finding can transition to closed, so the close-out reads against proof rather than against a ticket flag.

The original SQL injection finding closes after a single quoted payload no longer triggers an error. Two weeks later the same input takes a UNION-based payload and the issue is back. The variant was always present; the verification only tested the one payload the original report cited. The fix is testing the original attack, the obvious variants the workspace catalogue links to the same CWE, and any sibling endpoints the original report flagged, so the close-out covers the vulnerability class rather than the single proof of concept the original tester wrote up.

The fix lands in the staging build, the verification re-tests against staging, and the finding closes. The production deployment fails three days later because the change collides with another release. Production stays vulnerable and the finding shows as closed. The fix is recording the deployment reference on the verification (build identifier, release date, environment) and re-testing against the production-equivalent target so the close-out reads against the actual deployed surface rather than against a tested-then-discarded staging build.

The authenticated scan that originally surfaced the finding loses its session during the verification re-run. The scanner falls back to an unauthenticated crawl, the original finding does not reproduce because the scanner cannot reach the authenticated surface, and the finding closes on a coverage failure rather than on a fix. The fix is checking the authenticated context flag on the verification scan (no AUTH_NOT_ALLOWED, no CREDENTIAL_DOMAIN_MISMATCH, no fallback to public crawl) before accepting the closure, so the close-out reads against authenticated coverage that actually exercised the patched surface.

The finding shows as closed, the closure timestamp is recorded, and the named closer is on the record. The verification evidence (re-test request and response, post-fix scan ID, commit SHA of the merged fix, deployment reference) lives in chat threads, screenshots on a laptop, and a ticket comment in an engineering system the security workspace does not read. The audit chain breaks at the closure event. The fix is stamping the activity log with the verification method, the verifier, the timestamp, the four-state outcome, and the citation to the evidence artefact so the chronology is reconstructable from the platform record alone.

A previously closed finding reopens four weeks later because a deployment regressed the fix. The reopened record opens as a new entry with a new ID, the audit chronology shows two findings with the same CWE rather than one finding that closed and reopened, and the regression goes unnoticed in the metrics. The fix is opening the new occurrence as a regression against the original finding ID (status: regressed) so the chronology reads as one finding with a documented closure, a documented reopen, and a documented owner for the regression rather than a parallel record the team has to manually reconcile.

The named owner records the code change, configuration change, dependency upgrade, infrastructure change, or compensating control before verification begins. The entry cites the commit SHA, the merge reference, the build identifier, the release reference, or the change record that landed the fix. Verifications opened against undocumented fixes return to the owner before re-test cycles burn calendar time. The deployment reference makes the close-out reproducible.

The verifier records which method the verification used: external scan replay for scan-sourced findings, authenticated DAST replay for authenticated-source findings, SAST or SCA re-run against the new commit for code-source findings, manual reproduction against the engagement scope for pentest-source findings, or supplier advisory acknowledgement for upstream advisories. The method aligns with the original source so the verification reads against the same surface that produced the original finding.

The verifier records which payloads, endpoints, or code paths were tested against the fix: the original payload, the obvious variants for the same CWE, the parallel endpoints in scope, and the sibling API versions. Variants that were not tested are listed explicitly so the next reader knows what the verification covered and what it did not. The variant register stops the close-out from being a single-payload proof.

The verifier marks the four-state outcome (verified fixed, partially fixed, not fixed, regressed) and, for partial fixes, the named residual variants and the recalibrated severity for what remains. Severity reconciliation reads against the workspace policy: a partial fix does not silently drop two severity bands because one variant of the original issue is closed. Findings management records the original severity and the post-verification severity with the named reason for any recalibration.

The verifier attaches the re-test request and response, the post-fix scan output, the SAST or SCA rule output that no longer matches, the screenshot of the fixed configuration, the supplier acknowledgement for advisory-driven findings, and the engineering reference (pull request, commit, deployment record). Document management holds the original artefacts as versioned attachments cited by the finding rather than re-authored on the close-out summary.

The activity log stamps the verification method, the named verifier, the verification timestamp, the four-state outcome, the recalibrated severity where applicable, the variant register, the deployment reference, and the citation to each evidence artefact at the moment the verification completes. The closure event reads against the chronological record rather than against a status flag the next auditor has to triangulate from email and chat.