Skip to content
Rubric versions & governance

A versioned, contestable rubric.

A score is only comparable if the yardstick holds still — and only trustable if changes to the yardstick are public. The CAI rubric is versioned, contestable, and freezable for the duration of a contract.

The three guarantees

Versioned. Contestable. Freezable.

Versioned

Any change that can move a score for unchanged code bumps the rubric version. Every survey pins the version it was scored under, so movement is always attributable — the asset changed, or the ruler did, and the record says which.

Contestable

A scoring change that isn't reflected in the published spec fails CI. Every number stays re-derivable from a rule you can read — there is no unpublished scoring behaviour to appeal to.

Freeze / pin for a contract

A contract can pin a repository to a frozen rubric for its duration, so a deal is scored against a fixed yardstick. No moving goalposts — the CAI underwritten at LOI and the number at close are directly comparable.

Disputes, from the standard's side

The instrument sharpens; the score never bends.

Contest a finding

Findings can be contested — and that improves the instrument.

A scored finding can be disputed; disputes route to human triage. A confirmed false positive becomes a detector test so it can't recur. The instrument sharpens; the score never bends — a dispute is a signal, never a back door to the number.

Advisory data

Advisory data still refreshes.

A frozen rubric stops the ruler moving — it doesn't freeze the world. A newly disclosed CVE can legitimately move a security finding under the same rubric version. That is a real signal, and it is disclosed in the survey's changelog.

Version historyThe rubric version history publishes here as versions ship; the current production rubric is pinned per survey and printed in every report.

Score against a ruler you can read — and hold still.

Producers pin the rubric per survey → watchdog.canine.dev · Deals pin it per contract → assay.canine.dev