Security finding ownership and routing
every finding lands on a named owner with a documented routing rule

The named asset on the finding (host, application, repository, cloud resource, dependency package, identity) carries a recorded owner of record on the engagement metadata. Routing reads the asset binding first because the asset is the most durable handle: a finding may move between scanners, severity bands, and engagement records, but the asset reference points at the team accountable for it. The asset-to-owner mapping is the input the routing engine reads against.

The provenance of the finding (Nessus output, Burp Suite session, authenticated DAST, code scan via Semgrep, manual pentest write-up, third-party report, customer disclosure, internal escalation) decides who triages it before it reaches the remediation owner. Source-class routing prevents the situation where an external scanner finding bypasses AppSec triage and lands directly on an engineering queue that cannot interpret the scanner output without security context.

The calibrated severity (the auto-calculated CVSS 3.1 vector on the finding) drives the named escalation tier the routing applies on the open-to-in-progress transition: critical and high-severity findings route to a named tier-one owner with a tighter acknowledgement window; medium findings route to the standard remediation tier; low findings route to the backlog tier. The severity-tier mapping is workspace policy, not analyst discretion.

The engagement context (pentest engagement, vulnerability assessment, ISO 27001 audit, SOC 2 readiness, bug bounty intake, security review, incident response) carries its own routing policy because the operating cadence and the stakeholder expectations differ. Pentest findings route to the engagement lead; vulnerability assessment findings route to the asset owner directly; bug bounty findings route through the disclosure triage queue; incident response findings route to the on-call IR owner with a parallel notification chain.

Asset tier (tier-zero regulated systems, tier-one revenue-critical applications, tier-two customer-facing systems, tier-three internal systems) compresses or extends the acceptance window before the routing escalates. A tier-zero asset with a high-severity finding does not wait the standard acknowledgement window; the routing escalates to the named secondary on the policy at a fraction of the default time so the unaccepted state cannot age silently.

Findings that touch a shared platform service, a shared dependency package, or a shared cloud subscription carry a multi-owner mapping: a designated lead owner under whom the finding routes, and a named coordinating committee whose members read every state change. Cross-team findings do not bounce between teams because the lead owner and the coordinating reads are explicit on the routing record.

Routing rules that target a group address (security-engineering@, platform-ops@, devops-team@) move the finding off the security side without moving it onto an accountable owner. The first engineer who opens the inbox picks the easy ones; the hard ones sit there until the audit lookback surfaces them. The routing engine must resolve to a named user on the workspace before the open-to-in_progress transition is allowed.

A finding is assigned to a workspace user record, the assigned_to field carries the email, but the named user never receives a notification because the routing rule does not invoke the assignment notification path or the user is inactive on the workspace. The fix is the assignment workflow that writes the activity log entry, looks up the assigned user profile, verifies workspace access, and pushes the notification into the user inbox so the assignment is observable rather than silent.

A security analyst decides who owns the finding in a Slack thread, the engineering side picks up the work, and the assignment never lands on the finding record. The audit cycle reads the assigned_to field as null and concludes the routing discipline is absent. The fix is requiring the assignment to land on the record before the in_progress state is reached, with the activity log capturing the actor, the prior owner (none), the new owner, and the routing rationale.

A workspace ships a catch-all rule that routes unmatched findings to one named user. The named user becomes the de-facto owner of every edge case the routing engine cannot resolve. Their queue grows without leadership visibility because the policy reads green and the activity log reads consistent. The fix is the unowned-finding queue with an explicit named operator who triages routing exceptions rather than absorbing them into a default-assignee tail.

A finding is reassigned from one team to another because the asset moved to a different business unit, but the activity log captures only the new owner. The audit query asks how long the finding was in the prior owner queue, who reassigned it, and why; the answer is reconstruction from email. The fix is the reassignment event that stamps the prior owner, the new owner, the reassigning actor, and the reason on the activity log so the routing chronology survives.

A finding lands on a named owner with a documented acknowledgement window, the owner does not respond within the window, and the finding ages in the open state because no escalation rule reads the unacknowledged signal. The fix is the acknowledgement-window queue that the security operations lead reads against the workspace policy, with notifications to the secondary on the policy and to the named escalation owner under the workspace RBAC.

The current value of the assigned_to field on the finding record and the prior owner captured in the activity log so reassignments read as chronology rather than as a snapshot. Both fields support the audit question of how long the finding was in each owner queue.

The routing rule that produced the assignment (Rule 1 through Rule 10 in the workspace policy, or a documented manual override) is recorded on the activity log entry so the routing chronology is reconstructable rather than implicit.

The documented acknowledgement window per severity and per asset tier (hours for critical, days for high, weeks for medium, longer for backlog) and the elapsed time the finding has been in the open state without the named owner accepting the work. The remaining window drives the escalation queue.

The named secondary and the named escalation owner under the workspace RBAC who receive the routing chain when the primary owner does not acknowledge within the documented window. The chain is recorded once on the workspace policy and read on every escalation event rather than rebuilt per-finding.

Every reassignment event stamps the prior owner, the new owner, the reassigning actor, the timestamp, and the rationale (asset moved, owner departed, scope changed, severity recalibrated, exception applied) so the routing chronology survives a successor analyst.

For findings on shared assets, the multi-owner mapping records the lead owner and the coordinating-committee members who receive read notifications. Routing decisions on shared assets read against this mapping rather than against a default-assignee rule.