Security finding reopen and regression handling
on one continuous record across closure cycles

When the new detection reads the same asset binding (verified domain, repository path, container image digest) and the same CWE classification as a previously closed finding, the workflow reopens the original record. The lineage stays one continuous chronology; the regression counter increments; the activity log captures the prior closure event and the new regression event as two timestamped transitions on one record.

For SAST-sourced findings, when the new detection reads the same repository, the same file path, and a re-occurrence of the same vulnerable code pattern (rule match against the same function or method), the workflow reopens the original record even if the CWE classification has shifted with a scanner update. The vulnerable code path is the durable identity; the rule label is the descriptor.

For external and authenticated DAST-sourced findings, when the new detection reads the same scan target and the same scanner module (TLS misconfiguration on the same domain, missing security header on the same endpoint, default credentials on the same admin interface), the workflow reopens the original record. The scan baseline diff cites the prior closure and the regression as two events against one asset.

When the new detection reads a different asset binding but matches the same CWE classification as a previously closed finding, the workflow opens a new finding with a new ID and links the original finding ID on the description and the activity log as related context. The new asset is a new instance; the regression counter does not increment because the original asset stayed fixed.

When the new detection reads the same asset binding but a different CWE classification (a previously closed SQL injection on /search and a new XSS on /search), the workflow opens a new finding with a new ID. The original closure on the SQL injection stands; the new XSS is a separate finding with its own remediation cycle. The asset binding is the same; the vulnerability class is different.

The standard new-intake flow applies. The workflow does not reach for a reopen because the new finding shares no identity with any prior closed finding. The intake workflow captures source, severity, asset, and named owner; the lifecycle proceeds from open through closed as a fresh remediation cycle.

When the new detection shares partial identity with a prior closed finding (overlapping endpoints, related CWE, adjacent code paths) but the workflow cannot deterministically resolve it to a single prior ID, the default is to open a new finding with a manual cross-reference to the candidate prior finding. The triager records the rationale for treating it as new rather than as a reopen so the audit chain documents the judgement instead of inferring it.

A previously closed finding surfaces again on the next scan cycle and the operator opens it as a new entry with a new ID rather than reopening the original. The activity log shows two unrelated findings with the same CWE on the same asset, the closed-count looks healthy, the reopen counter never increments, and the leadership report shows a programme with strong throughput. The audit reads two parallel records, the lineage is gone, and the regression pattern that should have triggered a control review is invisible. The fix is the reopen-the-original-record rule on same-asset-same-CWE detections so the chronology stays one continuous record.

The reopen happens on the original finding ID but the operator overwrites the closure rationale, the closed timestamp, and the named closer on the way back to open. The chronology now reads as if the finding was open from intake without interruption. The audit cannot reconstruct that the workspace ran a closure cycle, declared verified-fixed, and then encountered a regression. The fix is the append-only activity log: each transition adds a new entry rather than overwriting prior entries, so the closed-then-reopened arc reads as a sequence of timestamped events on the same record.

The reopen sets the remediation clock to the original intake SLA window (thirty days for medium severity from first detection). The original detection was four months ago, the closure was two months ago, and the regression is today; pretending the clock starts today inflates the SLA-attainment metric on regressions and hides the durability problem. The fix is a documented reopen SLA policy: regressions read a separate clock (often shorter than the intake SLA because the team already knows the vulnerability class and the asset), and the policy makes the reopen SLA visible alongside the intake SLA in the leadership report.

The reopened finding lands with a downgraded severity ("the regression is partial", "the variant is narrower", "the environment changed") and the activity log does not capture the named reviewer or the recalibration rationale. The closed-count rate looks healthy, the open-critical count stays flat, and the leadership read of programme risk understates the actual exposure. The fix is the documented severity-recalibration rule on reopens: the original severity is restored unless an explicit downgrade exception is documented with the named reviewer, the reason, and the activity-log stamp.

The workspace state model carries one reopened state that covers regression-on-closed, failed-retest, partial-fix-with-residuals, and reopen-on-overturned-false-positive without distinguishing them. The leadership report cannot separate fixes that did not hold (a controls problem) from fixes that did not cover the full class (a methodology problem) from dismissals that were wrong (a triage problem). The fix is structured regression-class metadata on the reopen transition so the leadership read separates the operational signal from the noise.

The regression was caught by a security engineer who flagged it in a channel; the team agreed to reopen the finding in a thread; the activity log shows the state transition with no citation to evidence. Six months later the audit asks where the regression evidence is and the workspace cannot produce it without a chat archive search. The fix is requiring the regression evidence (scan ID, retest transcript, manifest diff, configuration export, customer report, third-party assessment) attached to the reopened transition through document management as a versioned artefact the finding cites.

The reopen transition records the regression class (scanner re-detection, failed retest, partial fix, dependency or base-image downgrade, configuration drift, watch-window expiration, overturned false-positive) and the detection source (the scan ID, the retest transcript, the manifest diff, the configuration export, the customer-report reference, the third-party assessment reference). The class lets the leadership report separate controls problems from methodology problems from triage problems; the source is the audit-citation artefact.

The reopen cites the prior closure activity-log entry by ID: the prior closed timestamp, the prior named closer, the prior closure rationale, and the prior evidence artefacts. The chronology reads as a sequence of events on the same record rather than as two parallel records the auditor has to reconcile. The lineage is the durable identity that survives across closure cycles.

The reopen carries the original severity unless an explicit downgrade exception is documented. The exception record carries the named reviewer of the downgrade, the reason (narrower variant, changed environment, compensating control now in place), and the activity-log stamp. The reopened finding does not silently lose two severity bands because the operator who handled the reopen wrote a sentence of context in a comment.

The reopen assigns a named owner of the new cycle under team management RBAC. The owner may be the same as the original remediation owner (the engineering team that owns the codebase) or a different owner (the security operations lead picks up a regression while engineering investigates). The named owner is on the record at the moment of reopen, not assigned later in a separate triage round.

The reopen sets a target remediation date under the workspace reopen-SLA policy. The reopen clock is documented separately from the intake clock so the SLA-attainment metric on regressions is visible alongside the SLA-attainment metric on first-time intake. Programmes often shorten the reopen SLA relative to the intake SLA because the team already knows the vulnerability class and the asset.

The activity log stamps the reopen transition with the named reporter, the timestamp, the prior state (verified, closed, or false_positive), the new state (reopened), the regression class, the evidence reference, and the named owner of the new cycle. The next audit reconstructs the closed-then-reopened arc from the activity log without depending on chat archives or screenshots stored on someone laptop.