Confidence rule: source confidence tells you how carefully to treat a signal. It does not prove local exposure, exploitation, compromise, patch deployment, or business impact.
Source Confidence Explainer
Use source confidence to pace validation, not to skip it.
Use this guide when a record has low, medium, high, disputed, stale, or changing source confidence and the team needs to decide whether to patch, validate, monitor, escalate, or wait for better guidance.
Use strong source agreement to prioritize validation and owner handoffs.
Use as useful context while checking vendor, asset, version, and exposure proof.
Keep the signal visible, but avoid hard deadlines until confidence improves.
Recheck guidance when records are disputed, corrected, rejected, or superseded.
Confidence Levels
How to use confidence without overclaiming
High confidence
Source quality supports faster routing
Use high confidence when authoritative guidance, consistent records, current references, and stable affected/fixed language support the same basic story.
Medium confidence
Useful, but still needs confirmation
Use medium confidence when the record is plausible but still needs vendor detail, scanner logic review, owner confirmation, or source freshness checks.
Low confidence
Signal needs review before action
Use low confidence when the source is stale, incomplete, broad, conflicting, thinly referenced, scanner-only, or missing authoritative affected-version guidance.
Disputed or changing
The story may still be moving
Use disputed, rejected, corrected, or superseded guidance as a warning that previous assumptions may need to be reopened.
What It Proves
Safe and unsafe uses of source confidence
Safe
It can support queue order
Higher confidence can move a record earlier in validation because the public signal is more coherent.
Safe
It can shape caveats
Briefs can say that guidance is authoritative, incomplete, disputed, stale, or still changing.
Unsafe
It does not prove local exposure
Even strong sources do not show your product, version, feature, asset, or reachable path exists.
Unsafe
It does not prove compromise
Source confidence is not telemetry. Incident claims need SOC or IR evidence.
Routing
What to do when confidence changes the decision
Confidence is high and exposure is plausible
Use Affected Version Validation, Exposure Operations, and Handoff Center to move quickly without skipping local proof.
Confidence is low or scanner-only
Use Feed False Positive Patterns, Trust Review, and Source Analytics before turning the signal into a patch deadline.
Guidance conflicts
Use Disputed CVSS Guidance or Unclear Vendor Guidance when NVD, vendor, distro, scanner, cloud, or owner evidence disagrees.
Leadership needs an update
Use beginner leadership and executive examples to explain confidence caveats without claiming confirmed exposure or compromise.
Copy Template
Source-confidence note
Source confidence note - [CVE/advisory] Confidence level: [high / medium / low / disputed / changing] Why: [authoritative source, source agreement, stale record, scanner-only, conflicting guidance, supersedence] What this supports: [queue order, validation urgency, caveat, vendor follow-up, monitoring] What it does not prove: [local exposure, affected version, compromise, patch deployed, business impact] Next validation: [asset/version/exposure/vendor/SOC/source freshness] Owner and review trigger: [team/person, date or source update]
Recommended route: use confidence to choose validation speed, then prove affected scope, exposure, and owner action before assigning or closing work.