Security Decisioning

Decisions you can prove and replay

Gate releases with policy evaluation, lattice VEX resolution, and deterministic verdicts. Every decision exports a signed, replayable capsule.

Request access Read docs

The problem with typical security workflows

Scanner findings pile up. Exceptions accumulate. Six months later, nobody can explain why a CVE was marked "acceptable."

Typical security workflow

  • VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context as blind suppression — "mark as not affected"
  • Conflicting statements ignored, not resolved
  • Decisions scattered across tickets and emails
  • No way to prove what was known at decision time

Stella decisioning

  • VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context as state — conflicts are detected and tracked
  • Trust-weighted consensus with rationale
  • Decisions sealed in exportable capsules
  • Deterministic replay with frozen inputs

VEX consensus engine

Not blind suppression. A 5-state lattice with trust weighting, conflict detection, and exportable rationale.

5-state VEX lattice

VEX statements resolve through a trust-weighted lattice. Conflicts are first-class state, not hidden errors.

Fixed

Not Affected

Affected

Conflict

Unknown

Trust vector scoring

9 factors: issuer authority, specificity, freshness, and more.

Conflict detection

Contradictory claims flagged for resolution, not silently merged.

Freshness decay

14-day half-life ensures stale claims lose influence.

7 CSAF providers

RedHat, Ubuntu, Oracle, MSRC, Cisco, SUSE, VMware.

Rationale export

Audit-grade explainability for every consensus.

Conflict studio UI

Visual resolution for conflicting VEX claims.

Policy engine

10+ gate types with Belnap K4 four-valued logic. True, False, Both, and Neither are all valid states.

Policy gate types

  • Severity threshold gates (CVSSCommon Vulnerability Scoring System - a severity rating from 0-10 indicating how critical a vulnerability is, EPSSExploit Prediction Scoring System - a probability score (0-100%) predicting how likely a vulnerability is to be exploited in the wild)
  • ReachabilityAnalysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise requirement for criticals
  • Unknowns budget gate — uncertainty tracked
  • Source quota gate — 60% cap enforcement
  • OPAOpen Policy Agent — an open-source policy engine that enables fine-grained, context-aware policy enforcement across the stack/Rego integration for custom rules

Risk scoring

  • CVSSCommon Vulnerability Scoring System - a severity rating from 0-10 indicating how critical a vulnerability is v4.0, EPSSExploit Prediction Scoring System - a probability score (0-100%) predicting how likely a vulnerability is to be exploited in the wild v4 probability
  • KEVKnown Exploited Vulnerabilities - CISA's catalog of vulnerabilities actively exploited in the wild (Known Exploited) detection
  • ReachabilityAnalysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise-aware gate multipliers
  • Custom scoring profiles
  • Policy simulation before deployment

Decision Capsules

Every gate evaluation produces a sealed, exportable evidence bundle. Six months later, replay the exact decision.

What's in a capsule

Artifact digest (SHA-256)
SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software snapshot
ReachabilityAnalysis that proves whether vulnerable code is actually called by your application — filtering out false positives from scanner noise evidence
VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context state (lattice-resolved)
Policy version + verdict
Approval signatures
Terminal
$ stella replay decision-capsule-2026-01-15.yaml --verify
Replaying decision from 2026-01-15T14:32:00Z...
Policy version: sha256:e5f6g7h8... (matches)
Feed snapshot:  sha256:i9j0k1l2... (matches)
VEX state:      sha256:m3n4o5p6... (matches)
Verdict: ALLOW (identical to original)
Determinism check: PASSED

Same inputs → Same outputs. Audit-ready.

Attestation & signing

Signing infrastructure

  • DSSEDead Simple Signing Envelope - a simple, flexible standard for signing arbitrary data with cryptographic signatures envelope signing with in-totoA framework for securing the software supply chain by verifying that each step was carried out as planned and by authorized actors
  • Keyless signing via SigstoreOpen-source project providing free code signing and transparency log infrastructure for the software supply chain/Fulcio
  • RekorTransparency log from Sigstore that provides an immutable, tamper-resistant ledger of software signatures transparency log integration
  • Key rotation service with HSM support

25+ predicate types

  • SBOMSoftware Bill of Materials - a complete list of all packages and dependencies in your software, VEXVulnerability Exploitability eXchange - machine-readable statements about whether vulnerabilities are actually exploitable in your context, reachability predicates
  • Policy decision predicates
  • Human approval predicates
  • SLSASupply-chain Levels for Software Artifacts — a framework for ensuring the integrity of software artifacts throughout the supply chain provenance v1.0

What makes it different

Explainable verdicts

Every decision includes rationale traces and score breakdowns.

Unknowns as state

Uncertainty is tracked and budgeted, not hidden or ignored.

Deterministic replay

Same inputs, same outputs. Prove any decision months later.

Ready for decisions you can prove?

Start with policy setup and your first gate evaluation.

Request access Read docs

Release Orchestration · Evidence Engine · Evidence & Audit