Security finding template
- Finding ID:
- Title:
- Reviewer:
- First observed:
- Affected commit, release, image digest, and environment:
- Severity and scoring method:
- CWE/CVE references, if applicable:
- Status: open / remediating / ready for retest / closed / risk accepted
Summary and impact
Describe the violated boundary, attacker prerequisites, affected tenants or data, confidentiality/integrity/availability impact, and realistic worst case.
Reproduction
Provide the minimum safe steps, requests, and non-secret evidence. Never include live credentials, customer content, private keys, or unnecessary exploit data.
Root cause
Identify the exact authorization, validation, isolation, lifecycle, or supply-chain failure. Distinguish the root cause from the observed symptom.
Remediation and compensating controls
Record the intended invariant, code/infrastructure change, interim control, owner, target release, and regression coverage.
Retest
Record reviewer, date, fixed commit/image digest, original reproduction result, new negative/positive cases, and final disposition.
Exception, if any
Record business justification, exploitability analysis, scope, monitoring, named approver, expiry date, and the event that forces earlier review. Critical or high findings cannot be accepted for managed GA.