A versioned, contestable rubric.
A score is only comparable if the yardstick holds still — and only trustable if changes to the yardstick are public. The CAI rubric is versioned, contestable, and freezable for the duration of a contract.
Versioned. Contestable. Freezable.
Versioned
Any change that can move a score for unchanged code bumps the rubric version. Every survey pins the version it was scored under, so movement is always attributable — the asset changed, or the ruler did, and the record says which.
Contestable
A scoring change that isn't reflected in the published spec fails CI. Every number stays re-derivable from a rule you can read — there is no unpublished scoring behaviour to appeal to.
Freeze / pin for a contract
A contract can pin a repository to a frozen rubric for its duration, so a deal is scored against a fixed yardstick. No moving goalposts — the CAI underwritten at LOI and the number at close are directly comparable.
The instrument sharpens; the score never bends.
Findings can be contested — and that improves the instrument.
A scored finding can be disputed; disputes route to human triage. A confirmed false positive becomes a detector test so it can't recur. The instrument sharpens; the score never bends — a dispute is a signal, never a back door to the number.
Advisory data still refreshes.
A frozen rubric stops the ruler moving — it doesn't freeze the world. A newly disclosed CVE can legitimately move a security finding under the same rubric version. That is a real signal, and it is disclosed in the survey's changelog.
Score against a ruler you can read — and hold still.
Producers pin the rubric per survey → watchdog.canine.dev · Deals pin it per contract → assay.canine.dev