Fuse the signals. Sign the decision.
Every dpndncY verdict — firewall block, scan finding, runtime trace — is computed from the same multi-signal stack and shipped as a DSSE-signed in-toto Statement.
The signal stack
For every finding or admission request, the engine fuses:
| Signal | Source | Cardinality |
|---|---|---|
| CISA KEV | cisa.gov/known-exploited-vulnerabilities-catalog | Boolean |
| EPSS | first.org/epss/data | 0.00 – 1.00 |
| ExploitDB | exploit-db.com | Count of public exploits |
| Exploit Window Forecast (EWF) | dpndncY proprietary | Days-until-exploit estimate |
| Reachability | AST + call-graph traversal (JS/TS, Python) | Reachable / not reachable |
| Attack-path score | Force-directed graph traversal | 0 – 100 |
| AI-code amplification | Git-signal + structural deviation | 0 – 100 |
| Trust delta | dpndncY proprietary | Δ vs. last approved version |
| License obligations | SPDX + obligation graph | Set of obligation tags |
Decision tiers
The decision engine outputs one of four tiers with a hard SLA deadline:
- Patch Now — 48 hours. Fires when KEV is true and reachability is positive, or when EPSS ≥ 0.95 with any signal.
- Patch This Sprint — 336 hours (14 days). Default for high-severity-with-context.
- Monitor — 720 hours (30 days). Severity is real but no exploit signal.
- Accept Risk — open-ended. Requires a signed waiver with expiry.
What gets signed
Every verdict ships as a DSSE envelope wrapping a SLSA in-toto v1 Statement. The predicate carries:
example decision payload
{
"_type": "https://in-toto.io/Statement/v1",
"predicateType": "https://dpndncy.io/firewall/v1",
"subject": [{ "name": "[email protected]", "digest": { "sha256": "a1b2c3…" } }],
"predicate": {
"verdict": "block",
"tier": "patch-now",
"sla_hours": 48,
"signals": {
"kev": { "value": true, "source": "https://cisa.gov/.../catalog.json", "fetched_at": "2026-06-01T12:00:00Z" },
"epss": { "value": 0.94, "source": "https://first.org/epss/api?cve=CVE-2021-44228" },
"exploitdb": { "ids": ["50592", "50628"] },
"reachability": { "reachable": true, "path": ["src/server.js:42 → log4j.Logger.error"] }
},
"policy_version": "policies/main@sha:7f8e9d",
"trust_delta": null
}
}Verification
The standalone dpndncy-verify binary checks any signed evidence offline. See dpndncy-verify reference.
Signals carry their sources
Every signal carries its source URL and a timestamp. That means an auditor — or your future self — can reconstruct exactly why a decision went the way it did, even three years later.