Software trust evidence
What is software trust evidence?
Software trust evidence is observed, source-attributed facts about software and the human decisions recorded around them. It keeps the original finding and the decision side by side — a dependency or CI or package or AI-agent signal, the risk someone accepted, and an owner and expiry — so a reader weighs a record instead of a verdict. OpenSoyce preserves and explains that evidence; the buyer's policy decides trust.
The terms
- Software trust evidence
- Observed, source-attributed facts about software and the human decisions recorded around them.
- Signed evidence packet
- A signed bundle of evidence about a review subject that a buyer can check.
- Risk-acceptance evidence
- A recorded human decision to accept a risk, with an owner and an expiry, that does not hide the underlying finding.
- AI agent inventory evidence
- Recorded evidence about installed agents, skills, and MCP servers and their declared capabilities.
- Buyer-verifiable dossier
- A buyer-readable view whose signature, artifact binding, and review history can be independently checked.
- Contradiction signal
- A point where two sources disagree, surfaced as a review signal that prompts a closer look, never a verdict.
- Artifact binding
- The link tying each evidence item to the specific subject and source it came from, so the reader can trace it back.
- Soyce Score
- A signal you weigh in your own review, not a verdict that decides trust for you.
The loop
- 1.Observe — read dependency, CI, package, and AI-agent signals and attribute each to its source
- 2.Record — bind every item to its subject and record the human risk decision with an owner and expiry
- 3.Share — pack it into a signed evidence packet and a buyer-readable dossier
- 4.Operate — surface contradictions as review signals and let expiries and revocations move the record
- 5.Verify — a buyer independently checks the signature, artifact binding, and review history
What it is not
- —Not a vulnerability scanner — a scanner produces findings and re-runs; software trust evidence keeps the finding and the human decision around it as a record.
- —Not a GRC platform — it does not manage your internal control program; it produces a portable record a buyer can independently check.
- —Not a compliance-certification tool — it does not certify SOC 2, ISO 27001, or any standard; it provides control-review evidence that may support SOC 2-style review.
- —Not a static trust center — it does not publish a fixed badge; the record carries the actual review history, contradictions, and risk decisions for the reader to weigh.
Questions
Does software trust evidence say a package is safe?
No. It records observed, source-attributed facts and the human decision around them. A signature attests integrity and origin only — never that a finding is resolved or that something is safe. Your policy decides trust.
What does the signature on a packet actually prove?
That the bundle has not been altered and that it came from the origin it claims — integrity and origin. It does not mean OpenSoyce independently verified the contents or that any finding was resolved.
How is risk-acceptance evidence different from closing a finding?
A recorded risk acceptance documents that a person chose to accept a risk, with an owner and an expiry. The original finding stays standing in the record; accepting it does not remove or hide it.
Can a buyer check the evidence without trusting OpenSoyce?
Yes. A buyer-verifiable dossier exposes the signature, artifact binding, and review history so the buyer can independently check them, including verifying the signature themselves.
The boundary
OpenSoyce preserves and explains software trust evidence and the human decision around it; it does not certify, verify, approve, or guarantee anything. A signature proves integrity and origin, not that a finding is resolved or that something is true or safe. Contradictions are review signals, never verdicts, and the absence of one is not a clearance. The buyer's policy decides trust.