Methodology v2.1
Scoring methodology
Every number in the Fidensa scoring system traces to an established framework, a documented pairwise comparison, or a scenario-validated design choice. This page explains how trust scores, letter grades, and certification tiers are computed.
Three-layer architecture
The scoring system operates in three layers. Each layer is grounded in a different established framework, and each answers a distinct question.
Finding severity
How much does each finding deduct from a signal?
CVSS v4.0 (FIRST.org)
Severity ratios derived from CVSS v4.0's expert-calibrated scale. 15 million scoring vectors, 270 equivalence classes, 30+ expert pairwise comparisons processed through Elo ratings. The resulting midpoint ratios govern all deduction curves.
Signal aggregation
How are signals weighted and combined into a score?
CVSS v4.0 methodology, SLSA, ISO/IEC 25010
Eight signals organized into three categories (Safety, Verifiability, Utility) with weights derived from documented pairwise comparisons. Category weights follow the ordering: Safety > Verifiability > Utility.
Grade boundaries
Where do letter grade cutoffs fall?
Finding-profile derivation (adapted from CVSS v4.0 boundary process)
Each grade is defined by a representative finding profile, then verified against the computed score scale. Grades map to universally understood quality assessments: A (Excellent) through F (Failure), with the F grade qualified as F-U (Unverifiable) or F-D (Dangerous).
Layer 1: Finding severity
Findings are classified into two categories based on what they represent. This distinction is grounded in NIST SP 800-30’s concept of compounding risk factors: correlated failures are worse than the sum of their parts.
Integrity failures
Critical, High
Non-linear decay with compounding penalties. Repeated integrity failures indicate systemic risk and are penalized more aggressively than their individual severities would suggest.
Quality erosion
Medium, Low
Asymptotic decay toward a hard floor. Quality issues degrade confidence but do not destroy trust. Each severity level has a defined minimum signal value it cannot push below.
CVSS-derived severity ratios
The deduction ratios are not invented. They are derived from CVSS v4.0’s expert-calibrated severity scale using the midpoint of each qualitative range, normalized to Critical = 1.0. This ensures that the relative impact of a High finding versus a Medium finding reflects the consensus of the security research community, not an arbitrary choice.
Adversarial finding classification
Adversarial test findings use an impact-based classification system that determines how each finding affects the trust score. The golden rule is impact over intent — classification is based on what the finding demonstrates, not what the attacker intended.
Confirmed data leak, successful injection, or crash. Severe score impact.
Partial success or concerning behavior. CVSS-calibrated decay applied.
Ambiguous behavior requiring human judgment. Limited deduction.
Defensive behavior, expected rejection, or informational observation. Zero score impact.
Layer 2: Signal aggregation
The trust score is computed from eight signals organized into three categories. Category weights are derived from documented pairwise comparisons following the CVSS v4.0 calibration methodology.
Category weights
Safety is a prerequisite for utility, and verifiability prevents safety theater. The ordering Safety > Verifiability > Utility follows from three pairwise comparisons:
Safety vs. Utility → Safety (wide margin)
A capability that works perfectly but isn't safe is dangerous. A safe capability that doesn't work is useless but harmless.
Safety vs. Verifiability → Safety (close)
Safety is the state of the object; verifiability is the proof of that state. Immediate risk of harm outweighs the risk of audit failure.
Utility vs. Verifiability → Verifiability
In a trust registry, a verified mediocre tool is more valuable than a black-box miracle tool because the former allows risk management.
Signal structure
Eight signals contribute to the trust score. Within each category, weights reflect the fidelity and directness of the evidence each signal provides. Safety carries the most weight overall, with adversarial testing valued highest within it because active exploitation is the highest-fidelity proof of danger.
| Category | Signal | Grounding |
|---|---|---|
| Safety | Adversarial | CVSS Exploit Maturity: active exploitation is highest-fidelity proof of danger |
| Security Scan | Known vulnerabilities are identified risks, often theoretical | |
| Supply Chain | Ingredient quality is a secondary indicator per SLSA | |
| Verifiability | Provenance | The birth certificate. SLSA: provenance is the foundational requirement |
| Consumer Confirmations | Peer review. Social corroboration per NIST SP 800-30 | |
| Utility | Behavioral Pass Rate | Functional correctness per ISO/IEC 25010 |
| Contract Accuracy | Interface compliance per ISO/IEC 25010 | |
| Uptime | Availability. A wrong answer is worse than no answer |
Utility confidence multiplier
Utility functions as both a direct score contributor and a confidence multiplier. If a capability doesn’t work, confidence in its safety and verifiability assessments is diminished — an unreliable capability may not have been adequately exercised during testing. This is grounded in NIST SP 800-30’s principle that risk factors compound.
The multiplier floor is tiered based on the safety profile. A capability with a clean safety profile but no functional evidence receives a milder drag than one with active safety findings. This prevents safe-but-untestable capabilities from scoring identically to actively dangerous ones.
Layer 3: Grade boundaries
Grade boundaries are derived from representative finding profiles, not chosen arbitrarily. Each profile describes a typical capability at that grade level, and the estimated score range is produced by running the profile through the Layer 1 + Layer 2 model.
Excellent 90 – 100
Clean safety profile. Minimal quality findings. Full provenance. High functional pass rate.
Good 80 – 89
No critical findings. Minor safety or quality issues. Good provenance. Strong functional results.
Average 72 – 79
No critical findings. Multiple high or medium findings. Some provenance gaps.
Poor 65 – 71
Significant safety concerns or severe quality erosion. One finding away from failure.
Unverifiable 0 – 64
Clean safety profile but insufficient functional evidence. Risk is low but utility is unproven.
Dangerous 0 – 64
Active security or adversarial findings present. Not recommended.
Key structural properties
Safety’s dominant weight means a total safety failure makes a passing grade mathematically impossible. A single critical finding — combined with real-world noise from other signals — makes it very difficult to stay above the D threshold. A critical finding should be near-incompatible with a passing grade.
The D range (65–71) is deliberately narrow. A capability in this band is either clearly passing or one finding away from failure. This communicates urgency without false condemnation.
Certification tiers
The trust score and the certification tier are independent assessments. The score is a numeric summary of overall trustworthiness. The tier is a pass/fail judgment based on finding-severity thresholds, modeled on UL (Underwriters Laboratories) product certification per ISO/IEC 17065.
A capability can have a high trust score and a Verified (not Certified) tier if it has clean signals everywhere except one critical adversarial finding. The score says “mostly trustworthy.” The tier says “didn’t pass the safety gate.” Both are correct.
Fidensa Certified
No unmitigated critical findings. No more than two unmitigated high findings. Pipeline completed.
Fidensa Verified
Pipeline completed. Findings of any severity documented. Evidence-backed contract issued.
Fidensa Evaluated
Pipeline ran with partial coverage. Incomplete data. Contract documents what was found.
OWASP MCP Top 10 coverage
The OWASP MCP Top 10 is the emerging industry vocabulary for MCP security risk. Fidensa’s pipeline stages map to it as follows. This is not the totality of what Fidensa evaluates — behavioral fingerprinting, functional correctness, and provenance verification go beyond the OWASP scope.
| OWASP Risk | Pipeline Coverage |
|---|---|
| MCP01 Token Mismanagement | Security Scan (Stage 2B) |
| MCP02 Privilege Escalation | Adversarial Testing (Stage 3B), Behavioral Fingerprint drift detection |
| MCP03 Tool Poisoning | Adversarial Testing (Stage 3B) |
| MCP04 Supply Chain Compromise | SBOM Analysis (Stage 2A), Provenance (Stage 1) |
| MCP05 Command Injection | Adversarial Testing (Stage 3B), Security Scan (Stage 2B) |
| MCP06 Intent Subversion | Adversarial Testing (Stage 3B) |
| MCP07 Insufficient Auth | Security Scan (Stage 2B) |
| MCP08 Lack of Audit Trail | Provenance (Stage 1), Consumer Reports |
| MCP09 Shadow Servers | Security Scan (Stage 2B) |
| MCP10 Context Injection | Adversarial Testing (Stage 3B) |
Maturity indicator
The maturity indicator is an orthogonal dimension that communicates how much real-world validation backs the trust score. A score of 91/A/Initial means excellent pipeline results with no field data yet. A score of 85/B/Proven means good results confirmed by hundreds of consumers over six months.
Initial
Pipeline only. Zero external data.
Lab results only.
Emerging
10+ reports OR 30+ days monitoring.
Early field signals.
Established
50+ reports from 10+ consumers AND 90+ days monitoring.
Meaningful field validation.
Proven
200+ reports from 25+ consumers AND 180+ days monitoring AND re-certification.
Extensive field validation.
Risk tags
Risk tags are additive metadata included in every certification contract. They have zero score impact but enable granular policy enforcement. A consumer policy engine might allow Grade D capabilities but block any tagged ADV, or require manual review for SC tags.
Adversarial findings present
Security scan findings present
Supply chain vulnerabilities present
Provenance gaps identified
Calibration plan
All weights, deduction amounts, and grade boundaries are provisional. They are derived from established frameworks and documented reasoning, but they have not been empirically calibrated against a large body of certification data. Every published contract references the methodology version under which it was scored.
Phase 1: Provisional
Full signal breakdowns published with every certification. Consumers can evaluate individual signals independently of the aggregate score.
Phase 2: Expert comparison
Present certification result pairs and ask “which capability would you trust more?” Use comparison data to identify weight adjustments.
Phase 3: Statistical analysis
Analyze signal correlation and variance. Consolidate or reweight signals that are redundant. Evaluate utility multiplier curve fitness.
Framework citations
| Framework | Publisher | Influences |
|---|---|---|
| CVSS v4.0 | FIRST.org | Finding severity ratios, severity boundary process, pairwise comparison methodology |
| NIST SP 800-30 | NIST | Compounding risk factors, corroborating evidence classification, utility multiplier |
| SLSA v1.0 | Google / OpenSSF | Provenance as foundational trust requirement |
| ISO/IEC 25010 | ISO | Software quality characteristics ordering |
| ISO/IEC 17065 | ISO | Certification body requirements, measurable criteria, evidence-based decisions |
| UL Model | UL LLC | Pass/fail certification against defined safety criteria |
| OWASP MCP Top 10 | OWASP | Security risk coverage mapping for MCP capabilities |