Drive every vulnerability from discovery to verified closure: governed, deduplicated, and auditable at enterprise scale.
A finding in PMAP is a single vulnerability observed on a single asset, whether it arrived from a scanner or was authored by a pentester. The finding domain owns its entire life: creation, deduplication, triage, assignment, the status state machine, SLA, re-testing, evidence, ticketing, and reporting export.
PMAP makes the lifecycle explicit and enforced. Status changes obey a state machine rather than analyst convention. Severity carries both the scanner value and the effective value so nothing is silently overwritten. Duplicates are rejected at the door. Risk-acceptance passes through a second reviewer. Every transition is recorded.
The design problem at enterprise scale is not storing findings. It is governing hundreds of thousands of them without the process degrading into a spreadsheet of free text.
At a glance
- Backend domain: internal/finding (Go modular monolith, ~50 REST endpoints)
- Status model: Nine-state machine, three terminal states, audit-logged transitions
- Deduplication: Fingerprint-based, scoped per company, force override on create
- Severity: Effective severity tracked separately from preserved original_severity
- Approval gate: Four-eyes review on accepted_risk, false_positive, and closed
- Evidence: Structured steps plus live SAST/SCA/DAST vendor artefacts
- Multi-tenancy: ScopeFilter on every list, export, and facet path
How it works
One finding model, one enforced lifecycle. Scanner-imported and analyst-authored vulnerabilities triage, govern, and close exactly the same way, with every transition recorded.
Deduplication is the first line of defence against volume; evidence and a second reviewer are the discipline on the way out. A recurring vulnerability becomes one governed finding, and a closure is backed by proof and a four-eyes decision.
Every active finding carries a severity-based SLA deadline, governed taxonomy, and polymorphic ownership, all inside a tenant boundary that is enforced in code rather than left to convention.
Key capabilities
- Severity governance. original_severity preserves the scanner value; the effective severity may be raised or lowered by a rule or analyst, with a rule_override_message explaining any change.
- Taxonomy enrichment. Canonical effects, root_causes, and remediation_techniques arrays, plus cve_ids, cvss, and mitre_technique_ids, backfilled by VulnDB Smart Match.
- Multi-assignee and attribution. Ownership and discovery are polymorphic across users and teams; legacy single fields stay populated for back-compatibility.
- Wave visibility. reopen_count, seen_in_scans_count, and last_wave_at travel with each finding so persistence is visible at a glance.
Use cases
- Triage a scanner import. A vulnerability manager imports a weekly scan. Correlation deduplicates recurrences, new items land in open, and the analyst bulk-assigns by owner and bulk-sets status, clearing thousands of rows in minutes.
- Author and prove a finding. A pentester records structured steps to reproduce, tools, accounts, and exploit status, attributes discovery to their team, and links a VulnDB template that backfills CWE, MITRE, and taxonomy.
- Verify and close with proof. A remediation owner reports a fix. The analyst runs a re-test producing a timestamped FindingRetest record; a pass closes the finding, a failure reopens it and bumps the reopen count.
One enforced lifecycle from discovery to verified, audited closure.
