Skip to main content
VaultDevLabs
Synthetic sample report

See the evidence pack before you buy.

This sample uses a synthetic fixture, not a client system or claimed incident. It shows how findings, positive controls, limitations, practical fixes and retest status are documented in a real delivery.

Security Snapshot £495Scope Approval £99Standard Snapshot £895

Inside the synthetic sample

Finding 01 · Public source mapMedium

Sanitised example evidence, interpretation, practical action and honest retest status.

Choose a starting point

View Stripe Webhook Security Review

Authorised scope only

Human-reviewed findings

No credentials by default

Retest proof available

Methodology
Synthetic sample · not client work

Security Snapshot Evidence Pack

This synthetic fixture shows the client-readable structure without using a customer, production incident or claimed repair. Real reports are written against the authorised scope, observed evidence and agreed test window.

Authorised public-surface review

Sample date
13 July 2026
Scope
example.invalid app and webhook
Review ID
SYN-SS-001

Scope

Synthetic approved public surface

Evidence

Observed, expected and interpreted

Retest

No repair or successful retest claimed

Example findings

Review findingPositive controlCoverage limitation

Public source map

Review finding

Medium

Observed request: GET https://app.example.invalid/assets/app.js.map

Observed result: HTTP 200 · application/json

Expected: Production source maps are not publicly retrievable.

Interpretation: The synthetic response exposed source paths and build structure. It does not prove access to credentials or private customer data.

Recommended action: Stop publishing production source maps publicly, or upload them directly to the approved error-monitoring service.

Synthetic evidence row

Webhook rejection

Positive control

Passed

Observed request: POST https://app.example.invalid/webhooks/stripe · invalid signature

Observed result: HTTP 400 · no state change

Expected: Reject the request before business logic runs.

Interpretation: The synthetic boundary behaved as expected. This is recorded as a positive control, not a vulnerability finding.

Recommended action: Keep signature verification before event processing and preserve delivery-history evidence.

Expected control observed

Authenticated roles

Coverage limitation

Not tested

Observed request: No credentials or test accounts supplied

Observed result: Logged-in routes excluded

Expected: Credentialed testing requires separate written scope and test accounts.

Interpretation: The public-surface review cannot prove role separation, IDOR resistance or logged-in business-logic controls.

Recommended action: Use a separately authorised credentialed review if role and permission boundaries need evidence.

Boundary stated explicitly
Example format only. No customer system was tested and no repair is claimed.

Positive controls

Example control

The synthetic invalid-signature request was rejected before business logic ran. A real report records the response evidence and explains what that positive result does and does not prove.

Positive control register included

Limitations

Coverage boundary

A public-surface review does not prove IDOR resistance, role separation, logged-in business logic or permission boundaries. Those require separate written approval and suitable test accounts.

Limitations appendix included

Synthetic retest record

No successful fix is implied by this sample

Before

Source map returned HTTP 200 in the synthetic fixture.

Change

No production change was performed.

After

Not retested.

Decision

Open example finding; no closure claim.

Request scope approvalLock the target before testing starts
Authorised testing only. No destructive actions. No credential attacks.
Security Snapshot

Ready to turn this structure into your report?

Start Security Snapshot if the scope is clear, or use Scope Approval first if you want the target and boundaries confirmed before the review.