Current state: no external findings recorded yet.
Summary
- High and Critical findings are release blockers until remediated and regression-tested.
- Medium findings require an explicit written disposition before release.
- Low and Informational findings may be deferred only if they remain recorded with owner and revisit date.
- Every accepted fix should link the regression proof that keeps it closed.
Findings Ledger
| Finding ID | Severity | Exploit Path | Disposition | Owner | Regression Proof | Blocker State | Revisit Date |
|---|---|---|---|---|---|---|---|
| none yet | Informational | no external findings recorded yet | awaiting review | maintainers | add test, corpus fixture, or generated artifact link when a finding lands | non-blocking | next external review |
Disposition Workflow
High and Critical
- Treat High and Critical findings as release blockers.
- Do not close the finding until the fix lands, the regression proof is linked, and the reviewer packet reflects the new state.
- Record the blocker in this ledger even if the fix ships in the same phase.
Medium
- Medium findings require explicit written disposition before release.
- Either fix in the current phase or defer with rationale, compensating controls, owner, and revisit date.
- A Medium finding without an owner or revisit date is not considered dispositioned.
Low and Informational
- Low and Informational findings must still be recorded.
- Deferred items require scope notes, an owner, and a revisit date so the repo does not silently forget them.
Regression Requirements
- Link every remediated finding to a regression test, corpus fixture, or generated artifact check.
- Preferred proof targets are
SECURITY_REVIEW_EVIDENCE.md,CONFORMANCE.md, focused ExUnit files, or the repo security CI lane. - When a finding changes a trust-boundary contract, update
SECURITY_REVIEW.mdso reviewers can follow the new proof path.