CFSE Paths Registry What Paths Measures Methodology Review Calculator cfse.ai

What Paths Measures

CFSE Consequence Paths — Compositional Authority, Perception, and Safety scoring — characterizes the cyber-physical consequence a vulnerability can make reachable in a stated deployment context: authority transfer, perception-to-action failure, data exposure, physical/safety harm, systemic reach, and recovery burden. It represents those consequences as separate paths so dissimilar harms keep their distance instead of collapsing into a single number.

Each registry entry asks what consequence becomes reachable, how credible it is in the selected context, how broadly it can propagate, and how hard it is to recover. Published vulnerability scores remain useful baselines, but Paths is the consequence layer you would feed into SSVC-style decisions or combine with exploitation likelihood. These nine dimensions name the distinctions Paths makes explicit, each derived from a real case.
Status: v1.0-candidate. The first public version separates pure physical/safety harm severity (`PH`), deployment realizability (`REAL`), and systemic reach (`SYS`). This is not an accuracy claim. Independent validation is open.

The nine consequence dimensions

  1. Blast-radius / scale-of-reuse. One device vs. the whole fleet (SR / SX). CVSS base scoring is intentionally scoped to an isolated vulnerability; the Paths model records when one extracted artifact, credential, or control-plane action can reach many units.
  2. Chain-aware composition. A remote leak plus a local payload compose into one attack. CVSS scores isolated steps with one attack vector each and never the chain.
  3. Authority-leak as a weakness class. A shipped credential or engineering backdoor is an authority failure, distinct from data exposure — not a CWE-359 “privacy leak.”
  4. Flaw vs. device-class decoupling. Don’t let “it’s a ventilator” saturate every score. The base number should measure the flaw, not the consequence class of the device.
  5. Absence-of-control ≠ exploit primitive. You cannot exploit a missing log. Scoring a defense-in-depth gap as if it were the attack it fails to stop imports phantom, double-counted impact.
  6. Uncertainty represented, not maxed. “Unknown” must not default to “worst.” A rubric that resolves every uncertain metric upward produces a ceiling pile-up, not a measurement.
  7. Narrative / origin invariance. Score the bytes, not the vendor’s nationality or the disclosure’s framing. The same behavior must get the same severity regardless of the story.
  8. Recoverability. A hotfixable server is not an un-recallable implant (OR). No base score reflects that some flaws cannot be fixed in place at all.
  9. Representation / inference-channel leakage. A faithful output can be a structure-preserving function of a sensitive input — observe it, invert it, recover the secret, with no access, no exploit, no breach. Protect every sufficiently-informative function of a variable, including its rendered and actuated outputs — not just the variable itself. (GAZEploit: gaze → avatar → typed passwords.)

How to read an entry

Every entry identifies the dominant consequence and all supporting consequence paths. Each path has a compact vector, a band, evidence/liveness status, and reasoning. Published scores, when available, are retained as a baseline for source review rather than as the primary browsing frame. Bands, worst-path-wins: EMERGENCY CRITICAL HIGH ELEVATED MONITOR.

← Back to the registry