Software trust evidence
Record the dependency risk you accepted, not the fix you skipped
The problem
You looked at a flagged dependency, decided the risk was tolerable for now, and moved on. Months later a buyer or a teammate asks why that finding is still open, and the only answer lives in a thread or a ticket comment nobody can find. The decision was real, but the record is gone.
Why current tools miss it
Scanners re-flag the same finding every run because they only see the vulnerability, never the human call you made about it. SBOMs list the component; GRC platforms track a control, not the moment an engineer accepted a specific exposure with a reason and an expiry. Trust centers publish a posture, not the decision history behind it, so the accepted risk reads as either ignored or invisible.
How OpenSoyce records the evidence
OpenSoyce records each acceptance as decision evidence sitting on top of the original finding: the subject, the business justification, the accountable person, any compensating controls (recorded, not proven effective), and a mandatory expiry. The underlying finding stays visible the whole time, so the acceptance never hides the risk. An active acceptance is shown in amber and ages into expired, revoked, or superseded with the date attached. The full record ships inside the signed evidence packet, the buyer-readable dossier, and the JSON export; the signature attests integrity and origin, and the decision details and review history are recorded for you to read.
The boundary
An acceptance documents a decision; it does not remove or resolve the risk, and it makes nothing safe or compliant. OpenSoyce preserves and explains the evidence and the decision around it. Your policy decides trust.