Following a CNW meeting in the CVD working group, a question was raised concerning the model for the confidence level. Here is a small proposal which could be included in BCP-07 at some point:
| Confidence | Label | Meaning (confidence in this evidence item) | Typical exploitation evidence examples |
|---|---|---|---|
| 0.0 | None | No usable evidence or placeholder only | Empty claim; unresolved rumor with no traceability |
| 0.1 | Extremely low | Unreliable and uncorroborated; major gaps | Single anonymous post; vague claim of exploitation |
| 0.2 | Very low | Weak signal; high chance of misattribution | Ambiguous scanning activity; noisy or indirect telemetry |
| 0.3 | Low | Plausible but thin; limited traceability | Single non-authoritative report; partial indicators without artifacts |
| 0.4 | Low–moderate | Some structure and traceability; still uncertain | Reputable researcher hint with limited technical detail |
| 0.5 | Moderate | Credible but not fully validated; alternative explanations remain | Multiple consistent reports; exploitation attempts seen but success unclear |
| 0.6 | Moderate–high | Good evidence with reasonable verification | Honeypot telemetry showing exploit-like behavior; strong IOCs |
| 0.7 | High | Strong and fairly direct evidence; limited uncertainty | Incident response report with logs/artifacts consistent with exploitation |
| 0.8 | Very high | Direct evidence or strong multi-source corroboration | Forensics confirming exploit path; authoritative confirmation of in-the-wild exploitation |
| 0.9 | Near-certain | Highly direct, well-attributed, well-corroborated | Confirmed compromise with clear exploit attribution across independent sources |
| 1.0 | Certain | Practically proven; no plausible alternative explanation | Deterministic proof (e.g., full packet/log capture) tying exploitation to the vulnerability |