Skip to content

How to prove a vulnerability is actually fixed

A closed ticket says someone did the work. It doesn't say the vulnerability is gone. Here's how to turn "remediated" into proof your auditor can check.

A vulnerability gets flagged, an engineer patches it, drags the ticket to Done, and the dashboard turns a healthier shade of green. Everyone moves on. Nobody re-checked the asset, so the only thing that actually changed is the status of a card.

That gap is where breaches live. The patch didn’t apply cleanly. It reverted on the next deploy. It fixed a staging box while the production instance — the one that was flagged — kept answering. “Remediated” became a story everyone agreed to believe because checking it was somebody else’s job.

”Closed” is a claim. Treat it like one.

When a ticket closes, you’ve learned that someone did some work. You haven’t learned that the vulnerability is gone. Those are different facts, and most remediation programs quietly conflate them — which is why “we remediated that last quarter” so often turns into “wait, it’s still open?” the week before an audit.

The fix is to make a closed ticket carry a burden of proof. Every time work is marked done, something independent re-tests the asset and records the result. Pass, and the finding earns its closure. Fail, and it reopens with the reason attached. The status and the truth stop drifting apart.

What independent verification looks like

Independent means the check doesn’t trust the person who closed the ticket. Depending on the asset, that’s a re-scan of the original source, a second scanner for consensus, an API probe against the live service, or a documented attestation when a scan can’t reach it. The method gets recorded alongside the result, so later you can see not just that it passed, but how.

The output is the part that changes the audit. A verified fix produces an evidence package: the finding, the re-test method, the exposure before and after, the operator who approved the dispatch, and a SHA-256 integrity hash. Hand that to an auditor and they don’t have to trust you — they can check the hash themselves.

Drop a package here to check it

or click to choose the .zip. It's checked locally in your browser. Nothing is sent anywhere.

Drop a sample package above and watch the checks run. The hash either matches or it doesn’t; the re-test either passed or it didn’t. There’s nothing to take on faith, which is the whole point.

Where to start

Pick a finding you closed last quarter and ask one question: how do you know it’s still fixed? If the answer is “the ticket’s closed,” you’ve found the gap. Verify a sample evidence package to see what the proof looks like, or download the sample package and inspect it yourself.

A closed ticket should be the start of proof. Right now, for most teams, it’s the end of the conversation.

Common questions

What does it mean to verify a remediation?

Verification is an independent re-test of the asset after the fix — a re-scan, a second scanner, an API probe, or a documented attestation — that confirms the vulnerability no longer responds. It's separate from the person who closed the ticket, so "fixed" stops depending on one engineer's word.

Why isn't a closed ticket enough proof?

A closed ticket records an action; the outcome is a separate fact. The patch may have failed, reverted on the next deploy, or fixed a different instance than the one that was flagged. Until something re-tests the asset, the only evidence is that a human moved a card.

What evidence should a verified fix produce?

A package that names the finding, the method used to re-test it, the before-and-after exposure, the operator who approved it, and a SHA-256 hash so anyone can confirm the file wasn't altered. That's the difference between a screenshot and something an auditor can independently check.

Can you verify fixes for vulnerabilities found by any scanner?

Yes. Basirah verifies against the source where it can re-scan, and falls back to an independent scanner, an API probe, manual attestation, or multi-scanner consensus depending on the asset and what's available.

A closed ticket isn't proof

Bring a finding you closed last quarter. We'll show you whether the fix actually held.

Book a demo