Instrument Specification · Version 1.0

Vordan External Posture Assessment

The external audit. Public record only. Six fixed components, mandatory confidence intervals, and a Posture Score on a 1–5 scale. Deployable against any publicly observable entity without organizational cooperation.

VEPA Version 1.0 Active Public Record Only Posture Score 1–5

What the VEPA measures

The VEPA evaluates the observable accountability posture of any organization, platform, or institution using the public record as its sole evidentiary basis. It requires no organizational cooperation. Its findings are scoped explicitly to what is observable, and its methodology is published so that any finding can be evaluated, contested, or verified by any party with access to the same public record.

The VEPA is the instrument that makes accountability assessment independent. Where the VAF requires access, the VEPA requires only evidence. Evidence, by definition, is already public. The difference between a VEPA finding and an opinion is the citation. Every finding is sourced. Every score is bounded by a confidence interval. Every unscored component is explicitly documented with the reason.

Independence from the assessed entity is the source of this assessment's credibility. The VEPA is designed so that its most important findings can be made and sustained without organizational cooperation: and so that the only remedy available to a scored entity is to produce the evidence that would close the gap.

Six fixed posture components

P1

Traceability

Where did the awareness come from, and when?

Whether a clear, documented chain of awareness exists. Can the assessor reconstruct when the entity first identified the threat or failure, what it knew, what it disclosed, and when, from the public record alone?

P2

Structural Accountability

Does the governance model match actual risk distribution?

Whether the entity's published governance model accurately reflects the actual distribution of risk, or systematically shifts accountability burden onto parties less equipped to bear it.

P3

Response Adequacy

Was the response commensurate with the threat?

Whether observable response actions (advisories, platform changes, customer communications, tooling releases) were commensurate in scope, speed, and substance with the documented nature and scale of the threat.

P4

Governance Alignment

Does practice match commitment?

Whether the entity's observable security governance practices align with its published commitments and applicable industry baseline standards. Where gaps exist between commitment and practice, whether they are acknowledged.

P5

Disclosure Integrity

Are disclosures accurate, complete, and timely?

Whether the entity's public disclosures are accurate, complete, and timely. Accuracy without completeness is a disclosure integrity failure. Both dimensions are assessed independently.

P6

Remediation Trajectory

Is there a credible path toward closing the gap?

Whether the entity has demonstrated a credible, documented trajectory toward closing identified gaps through structural changes, not advisory-level guidance, that make the identified failure materially less likely to recur.

Evidentiary principles

Principle I

Public record only

Every finding must be traceable to a publicly available, independently verifiable source. If a finding cannot be sourced to the public record, it is not a VEPA finding.

Principle II

Absence as evidence

The absence of a public record of action is itself an evidential finding. When an entity facing a known, documented threat produces no public evidence of a response, that absence is treated as a finding, not a gap in the assessor's knowledge.

Principle III

Accuracy without completeness is insufficient

A technically accurate public statement that omits material context is treated as a partial disclosure, not a full one. P5 specifically evaluates both dimensions. An entity that issues accurate but strategically incomplete statements does not satisfy the disclosure standard.

Principle IV

Confidence intervals are mandatory

Every component score carries a stated 95% confidence interval reflecting the quality and completeness of available public evidence. No score may be published without its interval. Composite Posture Scores carry propagated confidence intervals.

Principle V

Right of response

Every assessed entity is invited to submit evidence it believes would affect any component score. The right of response does not delay publication. An entity that contests a finding without producing countervailing evidence has not closed the gap.

Published Assessments

VEPA-2026-001 · Reference Implementation

Salesforce, Inc.

2.1

Posture Score

95% CI: 1.7–2.6

Salesforce's observable response to the ShinyHunters / UNC6040 campaign: an 18-month operation targeting more than 700 organizations. Significant and multi-dimensional accountability deficits. No component above 3.0. Published May 21, 2026.

Read VEPA-2026-001 →

VEPA-2026-002

UK Visa Portal

4.2

Posture Score

95% CI: 3.9–4.6

A third-party immigration portal exposed at least 100,000 biometric documents (passport scans and selfie photographs) without authentication controls. After responsible disclosure by a credible reporter, the exposure remained active. No affected party notification. No governance infrastructure observable in the public record. Published May 27, 2026.

Read VEPA-2026-002 →

Posture Score Scale

1.0–1.9: Strong posture 2.0–2.9: Significant deficits 3.0–3.9: Systemic failure 4.0–5.0: No observable accountability