Defect Management
From the moment you find a bug to the moment it’s confirmed fixed — defect management is the process that keeps bugs tracked, prioritised, and resolved systematically.
The defect lifecycle
| State | Who owns it | What happens |
|---|---|---|
| New | Tester | Bug reported, not yet reviewed |
| Assigned | Lead / Manager | Triaged, assigned to developer |
| Open / In Progress | Developer | Being investigated and fixed |
| Fixed | Developer | Code change made, ready for retest |
| Retest | Tester | Verify the fix works |
| Closed | Tester | Verified fixed in all affected environments |
| Rejected | Developer / Lead | Not a bug — by design, duplicate, or not reproducible |
| Deferred | Lead / PM | Won’t fix this release, scheduled for later |
Writing good bug reports
A good bug report lets a developer reproduce the issue without asking you anything. It contains:
- Title — one sentence: what breaks, where, and under what condition. Not "Login broken" — "Login fails with HTTP 500 when password contains special characters".
- Steps to reproduce — numbered, specific, reproducible steps from a known starting state.
- Expected result — what should happen.
- Actual result — what actually happens. Include error messages verbatim.
- Environment — browser, OS, version, test environment.
- Severity and priority — (see below).
- Evidence — screenshot, video, log snippet.
Severity vs priority
These are different dimensions. Both must be set, and they often conflict.
| Severity | Definition | Example |
|---|---|---|
| Critical | System crash, data loss, security breach | Payment processed but order not created |
| High | Major function broken, no workaround | Users can’t submit the main form |
| Medium | Function broken, workaround exists | Export to CSV fails but PDF works |
| Low | Minor issue, cosmetic, or rarely hit | Tooltip text has a typo |
Priority is a business decision: how urgently does this need to be fixed, relative to everything else? A low-severity cosmetic bug on the homepage might be high priority if a CEO demo is tomorrow. A high-severity crash in a rarely used report might be deferred.
Testers set severity; product/business sets priority. This distinction matters — don’t conflate them.
Root cause analysis
For high-severity or recurring defects, root cause analysis (RCA) asks not just "what broke" but "why." Common RCA techniques: 5 Whys, fishbone diagram, fault tree analysis. The goal: prevent the same class of bug recurring. RCA findings feed into process improvements and updated testing checklists.
Defect metrics
- Defect density — defects per unit of code or per feature area. Identifies unstable modules.
- Defect removal efficiency (DRE) — percentage of defects found before release vs total defects found (pre + post release). Target: > 90%.
- Mean time to detect (MTTD) — average time from defect introduction to detection.
- Defect escape rate — how many defects reach production. The key quality signal for leads.
ISTQB mapping
| Ref | Topic | Level |
|---|---|---|
| CTFL Ch. 5 | Defect management — defect reports, lifecycle, workflow | Foundation |
| CTAL-TA Ch. 6 | When defects can be detected, defect report fields, classification | Advanced |
| CTAL-TM Ch. 4 | Defect management process, metrics, root cause analysis | Lead |
Practice this technique: Try Test Lead Practice 08 — Defect triage, Test Lead Practice 09 — Coaching scenario.
Try It — Severity or priority?
Five bugs have been reported on a NZ banking portal. Assign the correct Severity (Critical/High/Medium/Low) and Priority (P1-Urgent/P2-High/P3-Medium/P4-Low) to each.
| Bug | Severity | Priority |
|---|---|---|
| Payment is processed and money debited, but no confirmation email is sent and the transaction doesn’t appear in transaction history | ||
| Bank logo in the footer is pixelated — CEO demo to the board is tomorrow | ||
| Bulk payment CSV export fails — workaround is to export individual payments one by one | ||
| Session expires after 15 minutes with no warning — RBNZ security guidelines require 20-minute timeout with a warning | ||
| "Help" tooltip on the password field has a typo in a rarely visited screen |
Answers
| Bug | Severity | Priority | Why |
|---|---|---|---|
| Payment debited, no record | Critical | P1-Urgent | Data loss and financial integrity breach. Both are maximum — fix immediately. |
| Pixelated logo, CEO demo tomorrow | Low | P1-Urgent | Classic low-severity / high-priority. A cosmetic bug, but a business deadline makes it urgent today. |
| CSV export fails, workaround exists | Medium | P3-Medium | Function broken but not blocked. Workaround reduces urgency — plan for next sprint. |
| Session timeout non-compliant | High | P1-Urgent | Regulatory compliance failure (RBNZ). Severity is High, but compliance risk makes it P1. |
| Tooltip typo, rarely visited | Low | P4-Low | Cosmetic, low-traffic, no workaround needed. Backlog item. |
The key insight: the logo and compliance bugs both illustrate that severity and priority are independent. Business context drives priority — not just technical impact. Testers own severity; product/business owns priority.