PUBLIC TRUSTMethodology

Confidence is a feature.

Null Lattice is a discovery and situational-awareness system. It does not treat every public statement as fact—or popularity as importance.

HIGH CONFIDENCE

Authoritative evidence

CISA KEV confirms observed exploitation. NVD and GitHub advisories identify and describe vulnerabilities. Vendor advisories and original research provide primary evidence.

CONTEXTUAL EVIDENCE

Independent reporting

Security publications and community discovery channels add context and early signals. Details may evolve and should be checked against the linked report.

UNVERIFIED EVIDENCE

Claims and chatter

Leak-site and ransomware entries are allegations. Inclusion does not confirm compromise, attribution, or data theft.

01

Collection and retention

Government advisories, vulnerability databases, original research, vendor labs, independent reporting, public disclosures, exploit indexes, community discovery, primary software releases, and adversary-claim aggregators are polled on scheduled intervals, normalized, deduplicated, and retained as an observation archive. “First seen” means first observed by Null Lattice—not necessarily when an incident occurred.

02

Source diversity

The public feed is balanced across publishers before display. A fast or high-volume source cannot consume the whole page: the newest item from each active publisher is selected before a second item is taken from any publisher. This is presentation balancing, not evidence corroboration.

03

Emerging vulnerability scoring

CVSS describes technical severity. EPSS estimates the probability of exploitation activity in the next 30 days. CISA KEV confirms evidence of exploitation in the wild. Public exploit or proof-of-concept status comes from linked advisory evidence and is labeled separately from confirmed exploitation.

04

“Zero-day” language

Null Lattice reserves “zero-day reported” for a source explicitly reporting exploitation before or without an available fix. It is an attributed report—not automatic confirmation. “Disclosure watch,” “public exploit,” and “known exploited” remain separate states so uncertainty is not flattened into one dramatic label.

05

Priority ordering

Known exploitation receives greater weight than public exploit evidence, high EPSS probability, technical severity, reporting, and adversary claims. Claim cards open an internal dossier first; an originating public aggregator is retained only as explicitly labeled evidence. Null Lattice does not direct visitors to criminal leak infrastructure.

06

Country posture scores

Scores summarize volume and recency of claims and reporting. They are comparative indicators, not forecasts, breach confirmations, or assessments of national capability.

07

Corrections and verification

Public cyber reporting changes quickly. Direct source links remain attached so readers can inspect context. Production deployment should include a published corrections and takedown process.