c65061602b
Some checks failed
Build Test Deploy / build-test (push) Has been cancelled
Build Test Deploy / authority-container (push) Has been cancelled
Build Test Deploy / docs (push) Has been cancelled
Build Test Deploy / deploy (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
3.5 KiB
3.5 KiB
Status
This document tracks the future-looking risk scoring model for Vexer. The calculation below is not active yet; Sprint 7 work will add the required schema fields, policy controls, and services. Until that ships, Vexer emits consensus statuses without numeric scores.
Scoring model (target state)
S = Gate(VEX_status) × W_trust(source) × [Severity_base × (1 + α·KEV + β·EPSS)]
- Gate(VEX_status):
affected/under_investigation→ 1,not_affected/fixed→ 0. A trusted “not affected” or “fixed” still zeroes the score. - W_trust(source): normalized policy weight (baseline 0‒1). Policies may opt into >1 boosts for signed vendor feeds once Phase 1 closes.
- Severity_base: canonical numeric severity from Feedser (CVSS or org-defined scale).
- KEV flag: 0/1 boost when CISA Known Exploited Vulnerabilities applies.
- EPSS: probability [0,1]; bounded multiplier.
- α, β: configurable coefficients (default α=0.25, β=0.5) stored in policy.
Safeguards: freeze boosts when product identity is unknown, clamp outputs ≥0, and log every factor in the audit trail.
Implementation roadmap
| Phase | Scope | Artifacts |
|---|---|---|
| Phase 1 – Schema foundations | Extend Vexer consensus/claims and Feedser canonical advisories with severity, KEV, EPSS, and expose α/β + weight ceilings in policy. | Sprint 7 tasks VEXER-CORE-02-001, VEXER-POLICY-02-001, VEXER-STORAGE-02-001, FEEDCORE-ENGINE-07-001. |
| Phase 2 – Deterministic score engine | Implement a scoring component that executes alongside consensus and persists score envelopes with hashes. | Planned task VEXER-CORE-02-002 (backlog). |
| Phase 3 – Surfacing & enforcement | Expose scores via WebService/CLI, integrate with Feedser noise priors, and enforce policy-based suppressions. | To be scheduled after Phase 2. |
Data model (after Phase 1)
{
"vulnerabilityId": "CVE-2025-12345",
"product": "pkg:name@version",
"consensus": {
"status": "affected",
"policyRevisionId": "rev-12",
"policyDigest": "0D9AEC…"
},
"signals": {
"severity": {"scheme": "CVSS:3.1", "score": 7.5},
"kev": true,
"epss": 0.40
},
"policy": {
"weight": 1.15,
"alpha": 0.25,
"beta": 0.5
},
"score": {
"value": 10.8,
"generatedAt": "2025-11-05T14:12:30Z",
"audit": [
"gate:affected",
"weight:1.15",
"severity:7.5",
"kev:1",
"epss:0.40"
]
}
}
Operational guidance
- Inputs: Feedser delivers severity/KEV/EPSS via the advisory event log; Vexer connectors load VEX statements. Policy owns trust tiers and coefficients.
- Processing: the scoring engine (Phase 2) runs next to consensus, storing results with deterministic hashes so exports and attestations can reference them.
- Consumption: WebService/CLI will return consensus plus score; scanners may suppress findings only when policy-authorized VEX gating and signed score envelopes agree.
Pseudocode (Phase 2 preview)
def risk_score(gate, weight, severity, kev, epss, alpha, beta, freeze_boosts=False):
if gate == 0:
return 0
if freeze_boosts:
kev, epss = 0, 0
boost = 1 + alpha * kev + beta * epss
return max(0, weight * severity * boost)
FAQ
- Can operators opt out? Set α=β=0 or keep weights ≤1.0 via policy.
- What about missing signals? Treat them as zero and log the omission.
- When will this ship? Phase 1 is planned for Sprint 7; later phases depend on connector coverage and attestation delivery.