Proof principle: treat portal output as evidence about public signals and local workflow state. Treat environment impact as unproven until asset inventory, telemetry, vendor guidance, owner confirmation, or governance records support it.
What This Site Can Prove
Know the difference between portal evidence and environment proof.
Vuln Signal can prove what it loaded, how it interpreted that data, and what local workflow state exists in this browser. It cannot prove your asset exposure, compromise, or formal risk acceptance without outside systems.
What records, fields, route logic, and local notes are visible in the portal.
Priority, exposure themes, trust caveats, and suggested workflow lanes.
Whether your environment is affected, exploited, patched, or formally approved.
Turn signals into specific validation asks for the right owner.
Can Prove
Claims the site can support directly
A record is present in the loaded data
The portal can show that a CVE, advisory, vendor, campaign, or news item exists in the current loaded dataset or demo fallback.
A field or signal is attached to that record
The portal can show visible fields such as severity, CVSS, EPSS, KEV flag, public PoC flag, source confidence, patch state, or advisory source when present.
A route or workflow recommends a next step
The portal can prove its own workflow logic: which pages, tools, checklists, and handoff paths it recommends for a signal shape.
Local browser state exists
The portal can show saved items, notes, triage states, compare queues, feedback, and saved searches stored in this browser.
Can Infer
Useful conclusions that need careful language
Priority pressure
Queues can infer that a record deserves review because exploitation, KEV, PoC, exposure language, severity, source confidence, or patchability signals line up.
Likely workflow lane
Decision pages can infer patch, mitigate, monitor, investigate, detect, or escalate lanes based on the evidence pattern.
Theme or cluster relevance
Threat, ransomware, appliance, identity, cloud, and exploit-chain views can infer relevance from loaded fields and keywords.
Trust caveats
Status, Trust Review, and Methodology can infer that a record needs caution because guidance is disputed, rejected, stale, low-confidence, or source-dependent.
Cannot Prove Alone
Claims that need external evidence
Your assets are affected
Requires asset inventory, owner confirmation, installed version evidence, configuration proof, backport guidance, or vendor-specific affected-range validation.
Your systems are reachable
Requires exposure management, network paths, cloud configuration, firewall rules, authentication checks, or externally validated attack-surface data.
Exploitation happened in your environment
Requires SIEM, EDR, identity, firewall, proxy, DNS, application, or endpoint evidence reviewed by the responsible team.
A patch or control fully remediated risk
Requires patch proof, fixed-version validation, control testing, residual-risk review, owner signoff, and closure evidence.
A vendor is responsible for your exact case
Requires vendor advisory text, support case confirmation, product version mapping, deployment context, and contract or support-channel evidence.
Risk was formally accepted
Requires your governance system, named risk owner, approval date, scope, expiry, compensating controls, and audit trail.
Wording Guide
Use precise language in handoffs and reports
Use
Visible in current portal data
Good for loaded records, fields, counts, and local saved work.
Use
Needs environment validation
Good when asset, version, exposure, owner, or telemetry proof is missing.
Avoid
We are affected
Use only after external evidence confirms product, version, configuration, and reachability.
Avoid
We are compromised
Use only after telemetry and incident-response review support that claim.
Recommended route: use this page before public claims, escalations, or executive summaries. Then collect the missing proof in Evidence Checklist and Trust Review.