triage-validationlisted

# TRIAGE & VALIDATION One wrong answer = STOP. Kill it. Move on. > "N/A hurts your validity ratio. Informative is neutral. Only submit what passes all 7 questions." --- ## THE 7-QUESTION GATE Ask IN ORDER. One wrong answer = STOP immediately. --- ### Q1: Can an attacker use this RIGHT NOW, step by step? Complete this template: ``` 1. Setup: I need [own account / another user's ID / no account] 2. Request: [exact HTTP method, URL, headers, body — copy-paste ready] 3. Result: I can [read / modify / delete] [exact data shown in response] 4. Impact: The real-world consequence is [account takeover / PII read / money stolen] 5. Cost: Time: [X minutes], Capital: [$0 / $X subscription required] ``` **If you CANNOT write step 2 as a real HTTP request → KILL IT.** --- ### Q2: Is the impact on the program's accepted impact list? Go to the program page. Find "Vulnerability Types" or "Out of Scope." Common tiers: - **Critical**: Any-user ATO without interaction, RCE, SQLi with data exfil, admin auth bypass - **High**: Mass PII exfil, privilege escalation, internal SSRF with data, stored XSS all users - **Medium**: IDOR on specific user non-critical data, XSS on sensitive page requiring click - **Low**: Non-sensitive info disclosure, clickjacking with PoC **If your bug maps to a listed exclusion → KILL IT.** --- ### Q3: Is the root cause in an in-scope asset? Confirm: - Vulnerable domain is on the in-scope list (not `*.internal.target.com`) - It's a production asset