# Risk formulas

Purpose
- Define how normalized factors combine into a risk score and severity.

Formula building blocks
- Weighted sum with per-factor caps and family caps.
- Normalize raw score to 0-1 and apply gates.
- VEX gate: not_affected can short-circuit to 0.0.
- CVSS + KEV boost: clamp01((cvss/10) + kev_bonus).
- Trust gates: fail or down-weight low-trust provenance.
- Decay: apply time-based decay to stale signals.
- Overrides: tenant or asset overrides with expiry and audit.

Severity mapping
- Map normalized_score to critical, high, medium, low, informational.
- Store band rationale in explainability output.

Determinism
- Stable factor ordering before aggregation.
- Fixed precision (example: 4 decimals) before severity mapping.
- Hash fixtures and record SHA256 in docs/risk/samples/formulas/.

Related references
- risk/overview.md
- risk/factors.md
- risk/profiles.md
- risk/explainability.md