FINDINGS.

24 findings from Q3 external pentest. 6 critical (CVSS 9+) including SSRF + open-redirect. 3 marked "remediated" but reappeared in retest.

A remediation that doesn't survive retest is theater.

PT-001 · SSRF in webhook validator REGRESSED

Closed 2025-09-12. Re-opened by retest 2025-10-30.

Root-cause regression, lock down with regression test.