triage-validationlisted

# TRIAGE & VALIDATION One wrong answer = STOP **this finding**. Kill **the finding**. Move on **to the next test class**. > **Scope of "STOP" in this skill:** This skill's gates kill INDIVIDUAL FINDINGS that fail validation. They do NOT authorize stopping the engagement. Killing a finding via the 7-Question Gate just means *that finding* doesn't get submitted — every other test class in the engagement is still pending. See `redteam-mindset` "DO NOT STOP primary directive" for the coverage-axis rule. > "N/A hurts your validity ratio. Informative is neutral. Only submit what passes all 7 questions." --- ## THE 7-QUESTION GATE Ask IN ORDER. One wrong answer = STOP immediately. --- ### Q1: Can an attacker use this RIGHT NOW, step by step? Complete this template: ``` 1. Setup: I need [own account / another user's ID / no account] 2. Request: [exact HTTP method, URL, headers, body — copy-paste ready] 3. Result: I can [read / modify / delete] [exact data shown in response] 4. Impact: The real-world consequence is [account takeover / PII read / money stolen] 5. Cost: Time: [X minutes], Capital: [$0 / $X subscription required] ``` **If you CANNOT write step 2 as a real HTTP request → KILL IT.** --- ### Q2: Is the impact on the program's accepted impact list? Go to the program page. Find "Vulnerability Types" or "Out of Scope." Common tiers: - **Critical**: Any-user ATO without interaction, RCE, SQLi with data exfil, admin auth bypass - **High**: Mass PII exfil, pr