|
| 1 | +# PVR Triage Scoring Reference |
| 2 | + |
| 3 | +This document describes every scoring decision made by the PVR triage taskflows: batch priority scoring, single-advisory quality signals, fast-close detection, and reporter reputation thresholds. All values are authoritative — they reflect the exact constants in the taskflow YAML and MCP server code. |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +## 1. Batch Priority Score (`pvr_triage_batch`) |
| 8 | + |
| 9 | +Used to rank unprocessed draft advisories before triage. |
| 10 | + |
| 11 | +### Severity weight |
| 12 | + |
| 13 | +| Severity | Weight | |
| 14 | +|---|---| |
| 15 | +| critical | 4 | |
| 16 | +| high | 3 | |
| 17 | +| medium | 2 | |
| 18 | +| low | 1 | |
| 19 | +| unknown | 1 | |
| 20 | + |
| 21 | +### Quality weight |
| 22 | + |
| 23 | +Extracted from the advisory description text. Each signal present adds 1 point. |
| 24 | + |
| 25 | +| Signal | Condition | |
| 26 | +|---|---| |
| 27 | +| `has_file_references` | Description mentions at least one specific source file path | |
| 28 | +| `has_poc` | Description includes reproduction steps or exploit code | |
| 29 | +| `has_line_numbers` | Description cites at least one line number | |
| 30 | + |
| 31 | +### Formula |
| 32 | + |
| 33 | +``` |
| 34 | +priority_score = severity_weight + quality_weight (max: 7) |
| 35 | +``` |
| 36 | + |
| 37 | +### Suggested action thresholds |
| 38 | + |
| 39 | +| priority_score | Suggested action | |
| 40 | +|---|---| |
| 41 | +| ≥ 5 | Triage Immediately | |
| 42 | +| ≥ 3 | Triage Soon | |
| 43 | +| 2 | Triage | |
| 44 | +| ≤ 1 | Likely Low Quality — Fast Close | |
| 45 | + |
| 46 | +### Score reference table |
| 47 | + |
| 48 | +| Severity | No signals | 1 signal | 2 signals | 3 signals | |
| 49 | +|---|---|---|---|---| |
| 50 | +| critical | 4 — Triage Soon | 5 — **Triage Immediately** | 6 — **Triage Immediately** | 7 — **Triage Immediately** | |
| 51 | +| high | 3 — Triage Soon | 4 — Triage Soon | 5 — **Triage Immediately** | 6 — **Triage Immediately** | |
| 52 | +| medium | 2 — Triage | 3 — Triage Soon | 4 — Triage Soon | 5 — **Triage Immediately** | |
| 53 | +| low | 1 — Fast Close | 2 — Triage | 3 — Triage Soon | 4 — Triage Soon | |
| 54 | + |
| 55 | +**Key observations:** |
| 56 | +- A bare `critical` with no quality signals scores 4 — Triage Soon, not Triage Immediately. |
| 57 | +- `high` needs at least two quality signals to reach Triage Immediately. |
| 58 | +- `medium` needs all three quality signals to reach Triage Immediately. |
| 59 | +- Any `low` severity report with no quality signals is Fast Close. |
| 60 | + |
| 61 | +### Already-triaged advisories |
| 62 | + |
| 63 | +Advisories with an existing `_triage.md` in `REPORT_DIR` are skipped entirely and do not appear in the scored queue. Their count is noted in the batch report summary. |
| 64 | + |
| 65 | +--- |
| 66 | + |
| 67 | +## 2. Single-Advisory Quality Signals (`pvr_triage`) |
| 68 | + |
| 69 | +The quality gate in Task 3 extracts the same three signals as the batch scorer, plus two additional ones used for the report quality rating. |
| 70 | + |
| 71 | +| Signal | Used in | |
| 72 | +|---|---| |
| 73 | +| `has_file_references` | Fast-close, report quality rating | |
| 74 | +| `has_line_numbers` | Fast-close, report quality rating | |
| 75 | +| `has_poc` | Fast-close, report quality rating | |
| 76 | +| `has_version_info` | Report quality rating only | |
| 77 | +| `has_code_snippets` | Report quality rating only | |
| 78 | + |
| 79 | +### Report quality rating |
| 80 | + |
| 81 | +Assigned by the analyst in the report generation task. |
| 82 | + |
| 83 | +| Rating | Criteria | |
| 84 | +|---|---| |
| 85 | +| High | Specific, accurate claims; verified PoC; correct file paths and line numbers | |
| 86 | +| Medium | Partially accurate; some details wrong or missing | |
| 87 | +| Low | Vague, speculative, or significantly inaccurate ("AI slop") | |
| 88 | + |
| 89 | +--- |
| 90 | + |
| 91 | +## 3. Fast-Close Detection (`pvr_triage`) |
| 92 | + |
| 93 | +The quality gate triggers `fast_close=true` when **all four** conditions hold simultaneously: |
| 94 | + |
| 95 | +1. `has_file_references` is false |
| 96 | +2. `has_poc` is false |
| 97 | +3. `has_line_numbers` is false |
| 98 | +4. At least one similar report already exists in `REPORT_DIR` with verdict `UNCONFIRMED` or `CONFIRMED` |
| 99 | + |
| 100 | +When `fast_close` is true, code verification is skipped entirely. The response draft uses the fast-close template (requests specific file path, line number, and reproduction steps). |
| 101 | + |
| 102 | +Conditions 1–3 alone are not sufficient — there must also be a prior report on a similar issue. A novel low-quality report for an unseen component proceeds to full verification. |
| 103 | + |
| 104 | +--- |
| 105 | + |
| 106 | +## 4. Reporter Reputation (`reporter_reputation.py`) |
| 107 | + |
| 108 | +Accumulated from every completed `pvr_triage` run. Keyed by GitHub login. |
| 109 | + |
| 110 | +### Inputs per record |
| 111 | + |
| 112 | +| Field | Values | |
| 113 | +|---|---| |
| 114 | +| verdict | CONFIRMED / UNCONFIRMED / INCONCLUSIVE | |
| 115 | +| quality | High / Medium / Low | |
| 116 | + |
| 117 | +### Score metrics |
| 118 | + |
| 119 | +``` |
| 120 | +confirmed_pct = confirmed_count / total_reports |
| 121 | +low_share = Low_count / total_reports |
| 122 | +``` |
| 123 | + |
| 124 | +### Recommendation thresholds |
| 125 | + |
| 126 | +| Condition | Recommendation | |
| 127 | +|---|---| |
| 128 | +| confirmed_pct ≥ 0.60 **and** low_share ≤ 0.20 | high trust | |
| 129 | +| confirmed_pct ≤ 0.20 **or** low_share ≥ 0.50 | treat with skepticism | |
| 130 | +| Otherwise | normal | |
| 131 | +| No history | no history | |
| 132 | + |
| 133 | +### Effect on triage |
| 134 | + |
| 135 | +The reputation score is **informational only** — it appears in the triage report under Reporter Reputation but does not automatically change the verdict or trigger fast-close. A "treat with skepticism" reporter still receives full code verification unless the fast-close conditions are independently met. |
0 commit comments