All skills
Skillintermediate

Gate Reviews and Verdicts

Before reporting ANY bug as a vulnerability, all six gate reviews must pass. Evaluate these during the GATE REVIEW task after all phases are complete:

Claude Code Knowledge Pack7/10/2026

Overview

Gate Reviews and Verdicts

Before reporting ANY bug as a vulnerability, all six gate reviews must pass. Evaluate these during the GATE REVIEW task after all phases are complete:

GateCriterionPassFail
1. ProcessAll phases completed with documented evidenceEvidence exists for every phasePhases lack concrete evidence
2. ReachabilityAttacker can reach and control data at the vulnerabilityClear evidence of attacker-controlled path + PoC confirmsCannot demonstrate attacker control or reachability
3. Real ImpactExploitation leads to RCE, privesc, or info disclosureDirect impact with concrete scenariosOnly operational robustness issue
4. PoC ValidationPoC (pseudocode, executable, or unit test) demonstrates the attack pathShows attacker control, trigger, and impactPoC fails to show attack path or impact
5. Math BoundsMathematical analysis confirms vulnerable condition is possibleAlgebraic proof shows condition is possibleMath proves validation prevents it
6. EnvironmentNo environmental protections entirely prevent exploitationProtections do not eliminate vulnerabilityEnvironmental protections block it entirely

Verdict Format

  • TRUE POSITIVE: All gate reviews pass → BUG #N TRUE POSITIVE — [brief vulnerability description]
  • FALSE POSITIVE: Any gate review fails → BUG #N FALSE POSITIVE — [brief reason for rejection]

If any phase fails verification, document the failure with evidence and continue all remaining phases. Issue the FALSE POSITIVE verdict only after all phases are complete.

Example Verdict

BUG #3 FALSE POSITIVE — Integer underflow in packet_handler.c:142
  Gate 5 (Math Bounds) FAIL: validation at line 98 ensures packet_size >= 16,
  making (packet_size - header_size) >= 8. Underflow is mathematically impossible.