Public sample — redacted

Sample TrustScore Evidence Pack

This is the artifact a buyer, assessor or procurement team receives — a cryptographically sealed record of the measurement, the admissibility verdict, and the exact engine that produced them. Below is a redacted example for a fictional project.

Measurement axis
79.3BBBLower Medium

Adequate trust signal; investment-grade range.

Signal only. The TrustScore measures posture — it does not, on its own, authorize a release.

Admissibility verdict
BLOCK · SECURITY

Blocked — critical security gate. kev_block must clear; score is not a factor.

The verdict enforces policy gates. A strong score never overrides a failed security-hard gate.

TrustScore measures posture. Verdict enforces policy gates.

That is why this project can sit in the investment-grade BBB band and still be blocked: a single known-exploited vulnerability fails a non-waivable security gate, and no score can clear it.

Admissibility gates

Every gate is evaluated to a pass / warn / fail predicate. Class precedence is fixed: a security-hard failure dominates the verdict regardless of lower-class gates.

GateClassResultWaiverDetail
kev_blockSecurity (hard) FAILNon-waivable1 known-exploited (KEV) finding — CVE-2026-1337 [cisa-kev-2026-06-19]
critical_vulnSecurity (hard) PASSDual control0 unwaived critical findings (max 0)
pass_thresholdPolicy threshold PASSNon-waivableTrustScore 79.3 vs threshold 75
domain_failPolicy threshold PASSExec acceptanceAll domains above fail floor (>5)
pqc_floorPolicy threshold PASSProfilepqc_readiness signal 61.0 (floor proxy 5)
domain_warnAdvisory WARNn/aai_risk domain in warn band (18.4 < 20)

Score breakdown — six weighted domains

Compliance84
Vulnerabilities71
AI Risk18
Supply Chain88
PQC Readiness61
Operations90

Signed manifest & integrity seal

The verdict, the engine constants and the version tuple are sealed inside a SHA-256 (optionally HMAC) digest, so the decision a buyer acts on is attested — not re-derived outside the audit path.

{
  "scoring_engine_version": "0.2.0",
  "policy_version": "2.4",
  "decision_policy_version": "1.0",
  "decision_policy": {
    "pass_threshold": 75,
    "critical_vuln_max": 0,
    "kev_feed_version": "cisa-kev-2026-06-19"
  },
  "verdict": {
    "decision": "block_security",
    "authoritative_gate_class": "security_hard",
    "failed_blocking_gates": ["kev_block"],
    "deployable": false,
    "gate_result": "fail",
    "measurement": { "trust_score": 79.3, "band": "BBB", "tier": "Lower Medium" }
  },
  "engine_constants": { "ess_basis": "pre_clip", "band_window": 2 },
  "seal": {
    "algorithm": "SHA-256",
    "digest": "9f2c41a7e0b8d63f5a1c84be72d09f1c6a4e3b8d05f7c29a1e4b6d8f03a2c7e91"
  }
}

Digest shown is illustrative. In a live pack the seal verifies against the sealed payload and rejects any engine-constant divergence or non-canonical version.

Bring evidence, not assertions, to your next review

Generate signed evidence packs your assessors and procurement teams can verify independently.