Triage And Reporting Standard

Good security reports are boring in the best way: clear scope, clear evidence, clear impact, and no overclaiming.

Classifications

• Observation: interesting behavior, but no proven weakness.
• Hardening note: a defensive improvement with unclear exploitability.
• Informative: reproducible behavior that does not cross a meaningful security boundary.
• Needs more proof: suspicious behavior with missing evidence.
• Reportable vulnerability: reproducible unauthorized access, action, exposure, or security impact inside allowed scope.

Impact Chain

A strong impact chain answers:

• Who is the actor?
• What action did they perform?
• What boundary was crossed?
• What data, state, permission, or workflow was affected?
• Why does that matter to security or business risk?

Evidence Requirements

Evidence should show what happened, which account or role was used, which object was involved, what changed, and what did not happen in the secure control case. Use placeholders in public notes.

Avoid Overclaiming

Do not claim account takeover, private data exposure, privilege escalation, or financial impact unless the evidence proves it. If the result only affects your own test data, say that clearly.

When To Discard

Discard or reclassify when the behavior is intended, out of scope, not reproducible, self-impact only, missing a boundary crossing, or based on private data you should not access.

For structured AI-assisted classification, see the AI-OS Reportability Rubric.