Understanding findings
Read severity first
Section titled “Read severity first”Start with critical and high items — they represent the largest potential impact if valid.
Then confidence
Section titled “Then confidence”Within the same severity band, prefer higher confidence when deciding what to fix first.
Validate in context
Section titled “Validate in context”Ask:
- Does this match how our protocol actually runs?
- Is the assumption still true after our latest changes?
- Is there a dependency or integration the finding does not cover?
Use system analysis
Section titled “Use system analysis”Open invariants, assumptions, and decisions when available — they help you judge whether an issue is realistic for your design.
Track review state
Section titled “Track review state”Use in-product review or status controls so your team agrees on what is accepted, fixed, or disputed.
When exploit verification exists
Section titled “When exploit verification exists”If exploit verification ran, treat reproduced outcomes as strong evidence — but still align with your threat model.