What the certificate says
It's a single signed PDF, dated. It lists the engagement, the findings tested, the closure status of each, and the engineer who validated. It's intended to be readable by a third-party auditor or enterprise procurement team.
When we ship it
We ship the certificate when:
- Every finding from the original report has been re-tested, regardless of whether the fix shipped
- Every fix that did ship has been validated — we re-ran the original exploit and confirmed it now fails
- No new findings were introduced by the fix — we did a quick adjacent re-scan
- Open findings are documented as accepted risk, with the customer's signature
When we won't ship it
- Half the findings closed, half waiting for next sprint
- A fix shipped but the team can't reproduce the test environment for re-test
- A finding was "closed" via configuration change but the underlying code is unchanged
In each case we explain why and what we'd need.
What it isn't
The certificate is not a SOC 2 report, a PCI attestation, or a HIPAA compliance statement. It's a narrow, factual document about one engagement. Customers occasionally try to use it as a substitute for a compliance audit. We push back when that happens — for everyone's protection.
// tags:
#re-test
#certification
#process