Vulnerability finding merge and supersede workflow
one identity per underlying issue across every source

The external scanner reports a TLS misconfiguration on the public endpoint, and the authenticated scanner reports the same TLS misconfiguration on the same target hours later. The cross-engagement view returns two records that describe one underlying issue. The merge discipline selects the surviving record (typically the earlier authenticated scan with stronger evidence), supersedes the second record into a closed status, and writes the surviving record id on the closed record so the audit trail reads as one operating decision rather than as a parallel pair of open findings.

The tester writes a manual SQL injection finding on /api/orders during a scoped engagement. A subsequent authenticated scan against the same target produces a generic SQL injection record on the same endpoint with weaker evidence. The manual finding carries the validated reproduction steps, the calibrated CVSS vector, and the named tester; the scanner finding adds nothing the manual record does not already hold. The merge discipline keeps the manual finding as the surviving record and supersedes the scanner finding without losing the scan evidence on the activity log.

An external firm delivers a report covering systems that the internal AppSec team has separately scanned. Two or three findings overlap. The third-party report carries the vendor methodology and the contract attestation; the internal records carry the live remediation queue and the deeper evidence. The merge discipline names the surviving record (usually the internal record because it is the operating queue), references the vendor report attribution on the surviving record so the external report context is preserved, and supersedes the duplicate vendor-imported finding into a closed status with the link back to the surviving record.

The original finding closed on the previous cycle with a verified fix, and the next scanner run produces a fresh finding on the same target and the same finding template. Without merge discipline the new record looks like a separate finding; with merge discipline the next-cycle detection is recognised as a regression that reopens the original record rather than as a new finding. The cross-engagement view returns one finding with a reopened state and an appended scan-evidence reference, not two records with different identities.

Bulk finding import lands a CSV from a legacy spreadsheet or a prior scanner export, and one of the imported rows describes a finding the workspace already carries. The intake duplicate flag fires at the column-mapping step; the merge discipline names the existing record as the surviving record, attaches the imported source data as evidence on the surviving finding, and the duplicate row closes with the link to the surviving record rather than landing as a fresh open finding.

One finding is written as the broad weakness (cross-site scripting affects the customer portal); the second finding is written as the specific instance (reflected XSS on the support search form). The merge discipline decides which level of granularity the workspace operates at, then keeps the chosen record as the surviving identity. The opposing record either closes with the surviving record link or is rewritten to merge its evidence into the surviving record working notes so the granularity choice is documented.

An open finding becomes irrelevant because the affected asset retired, the application path is removed, the dependency is replaced with a different package, or the system is decommissioned outside the workspace. The merge-and-supersede discipline closes the superseded record to not_applicable with the supersession reason recorded on the closed finding and an activity log entry that names the supersession event. The surviving identity is the absence of the finding; the closed record documents why the original record no longer holds.

Evidence quality is the first decision input. A finding with a documented reproduction, a calibrated CVSS 3.1 vector, a named tester attribution, and an attached request/response payload outranks a finding with only a generic scanner title and a default severity. The record with the stronger evidence becomes the surviving identity; the weaker record closes with the link to the surviving finding rather than the reverse. Cross-engagement finding search filtered to the substring or to the title pattern returns both records so the comparison runs against the actual evidence each record carries, not against the operator memory of which one was logged first.

A finding that is already in_progress with a named owner, a target close date, and a remediation thread is the operating queue position. Replacing the operating queue position with a duplicate intake breaks the work-in-flight; the merge discipline keeps the in_progress record as the surviving identity even when the duplicate intake has a slightly more recent timestamp. The closed duplicate references the in_progress survivor so the audit trail reads continuously rather than splitting the remediation history across two records.

Engagement attribution matters when the merge crosses two parent engagements. The surviving record is usually the one inside the in-flight engagement because the deliverable, the retest schedule, and the report draft all reference that engagement record. A duplicate logged inside a stale or closed engagement is the candidate for supersession because keeping it open creates a stranded record outside the deliverable boundary. The deep-link from the cross-engagement view to the parent engagement is the audit hand-off the merge decision documents.

Granularity is a deliberate workspace convention. Some programmes operate at the broad-weakness level (one finding per CWE per application) and treat each instance as an evidence row on the parent finding; some programmes operate at the per-instance level (one finding per affected endpoint) and treat the broad-weakness narrative as the description on each instance. The merge discipline applies the chosen convention consistently; the surviving record sits at the convention level, and the duplicates at the wrong granularity supersede into the surviving record.

The duplicate represents a finding that should not have entered the operating queue at all, the affected asset retired, the scope changed, the dependency was replaced with a different package, or the parent engagement was rolled back. Closing the duplicate as not_applicable signals to the workspace and to the audit that the record was never operationally valid, not that the underlying issue was fixed.

The duplicate represents a scanner-side artefact that has no operational meaning, a tooling re-detection of a previously dismissed scan-time positive, a redundant intake from bulk import that the scanner-output deduplication discipline did not catch at ingest, or a vendor finding that the workspace has already validated as a false positive. The finding overrides primitive records the override decision with the (workspace, finding, target) uniqueness key so the next scanner re-detection inherits the same dismissal automatically.

The duplicate represents a finding that the surviving record already remediated. The closure narrative on the duplicate cites the surviving record id, the date the surviving record was verified closed, and the retest evidence the surviving record carries. This is the most common closure state when the merge happens after the underlying issue has been fixed but before the duplicate intake was triaged out of the queue.

When the duplicate is the next-cycle scanner re-detection of a previously closed finding, the operating discipline reopens the original record rather than closing the new detection. The new detection scan-id, the new evidence, and the regression class are appended to the original record working notes, and the original finding moves from a closed status back to reopened. The duplicate detection record itself closes with the reference to the reopened original.