HICS Scoring Methodology

The complete scoring algorithm for HICS (H33 Independent Code Scoring). Every weight, threshold, and deduction rule is published here for public audit. The algorithm is the authority.

Algorithm Version: 1.0.0 · Effective: March 30, 2026 · Published by H33.ai, Inc.

1. Composite Score Formula

Final = (Crypto × 0.30) + (Vuln × 0.25) + (Data × 0.20) + (Ops × 0.15) + (Health × 0.10)

Each category is scored independently from 0 to 100. The final score is the weighted sum, rounded to the nearest integer. Grade thresholds:

Grade	Score Range
A	90 – 100
B	80 – 89
C	70 – 79
D	60 – 69
F	50 – 59
F-	0 – 49

2. Category Definitions

2.1 Cryptographic Security (30%)

Evaluates the codebase's cryptographic posture. Detects post-quantum vulnerable algorithms, classical cryptographic misuse, key management failures, and transport security issues.

PQ-Vulnerable Asymmetric: ECDH, ECDSA, RSA, Ed25519 (without hybrid PQ companion)
Classical Misuse: MD5, SHA-1, DES, RC4, AES-ECB, AES-CBC without AEAD
Key Management: Hardcoded secrets (Shannon entropy-weighted confidence)
Positive Credits: +4 per Dilithium/Kyber usage, +3 per FALCON, +2 per SPHINCS+ (capped at +15)
Hybrid Detection: If file uses BOTH Ed25519 and Dilithium, the classical finding is skipped (defense-in-depth)

2.2 Vulnerability Surface (25%)

Detects injection attacks, authentication bypass patterns, XSS, SSRF, and hardcoded credentials. AST-based: uses tree-sitter to distinguish real assignments from match arms and classifiers.

Injection: SQL (raw_sql with interpolation), command injection (subprocess + user input), deserialization (pickle, yaml.load)
Credentials: String assignments to password/secret/token-named variables (skips test code, short values, known test prefixes)
Auth Bypass: JWT "none" algorithm acceptance (hard fail)
XSS: dangerouslySetInnerHTML, v-html

2.3 Data Handling & Privacy (20%)

Evaluates PII handling, encryption at rest, GDPR/HIPAA compliance patterns, and browser-side data exposure.

PII in Logs: Detects password/secret/SSN/credit_card in log call arguments (not just format strings)
Encryption at Rest: Flat deduction if no AES/KMS/FHE detected across all files (including crypto libraries)
GDPR: Consent mechanism detection, right-to-erasure pattern detection
Browser: Sensitive data in localStorage/sessionStorage

2.4 Operational Resilience (15%)

Evaluates error handling, external service resilience, rate limiting, and observability.

Panic Detection: Counts bare .unwrap() (not .expect()) in non-test, non-startup code. Grouped by file.
HTTP Calls: Checks for error handling and timeouts on external API calls. Skips client construction.
Flat Deductions: No rate limiting, no health check, no structured logging

2.5 Code Health & Maintainability (10%)

Evaluates test coverage, CI/CD, code complexity, and project hygiene. Advisory — these findings are not security-critical.

Test Ratio: test_lines / code_lines (counts inline #[cfg(test)] modules)
Complexity: Nesting depth > 10 levels, function length > 500 lines, file length > 2000 lines
Hygiene: README, LICENSE, CHANGELOG presence (filesystem-level check)
CI/CD: .gitlab-ci.yml, .github/workflows, Jenkinsfile detection

3. Confidence-Weighted Deductions

Every finding carries a confidence score between 0.0 and 1.0. The actual deduction is:

deduction = base_deduction × confidence

A finding with base deduction 8.0 and confidence 0.60 deducts 4.8 points, not 8.0. This eliminates the binary pass/fail problem. Low-confidence findings (pattern matches in ambiguous contexts) are automatically softened.

Shannon entropy determines confidence for hardcoded secret detection. High entropy (>4.5) = likely real secret (confidence 0.95). Low entropy (<3.0) = likely placeholder (confidence 0.30).

4. Density Caps

Each finding type has a maximum total deduction (density cap) to prevent a single issue pattern from overwhelming the score:

Finding Type	Cap (pts)
Crypto: PQ-vulnerable key exchange	15 – 22
Crypto: Weak hash/cipher	9 – 20
Vuln: SQL injection	24
Vuln: Command injection	18
Ops: No error handling	9
Ops: No timeout	12
Ops: Panic on input	8
Health: High complexity	5
Health: Long function	4
Health: Large file	3
No cap: Hardcoded secrets, JWT none, SSN, credit card, CVV, plaintext password	Unlimited

5. Test Code Weighting

Findings in test code receive 25% of production weight. A finding that deducts 8.0 in production code deducts 2.0 in test code. Test code is identified by:

File path containing "test", "spec", "bench", "fixture", "mock"
Lines below #[cfg(test)] in Rust files
AST-detected test attribute nodes

6. Hard Fails

Certain findings force the entire category to 0/100:

JWT "none" algorithm accepted in production code
Hardcoded production credential with high entropy (>4.5) outside test code

7. Positive Credits

Post-quantum cryptographic usage earns positive credits, capped at +15 per category:

Detection	Credit
Kyber / ML-KEM usage	+4.0
Dilithium / ML-DSA usage	+4.0
FALCON usage	+3.0
SPHINCS+ / SLH-DSA usage	+2.0

8. Directory Exclusions

The following directories are excluded from scanning (not core application code):

node_modules, vendor, target, dist, build, docs, blog, public, k8s, deploy, helm, terraform, coverage, examples, benches, benchmarks, programs, contracts, migrations, formal, fuzz, sdk, wasm-verifier

9. AST Parsing

HICS uses tree-sitter AST parsing for Rust, Python, JavaScript, and TypeScript. This replaces string matching with structural analysis:

find_string_assignments: Identifies variable = "string literal" assignments. Excludes match arms, array literals, and test modules.
find_function_calls: Matches function/macro call nodes. Captures full call text for context analysis.
find_direct_child_by_kind: Only checks direct children, not grandchildren — prevents flagging struct field values as variable assignments.
is_in_test_module: Detects #[cfg(test)] attribute nodes to split test vs production code.

Files without AST support fall back to line-by-line pattern matching with reduced confidence.

10. Attestation

The scoring results are sealed with:

SHA3-256 Merkle Tree: Commits every file in the codebase without revealing contents.
STARK Proof: Proves the scoring algorithm executed correctly on the committed codebase. Zero-knowledge. No trusted setup. Quantum-resistant.
Dilithium ML-DSA-65 Signature (FIPS 204): Post-quantum signature. Cannot be forged by classical or quantum computers.
Proof ID: SHA3-256 hash of the complete certificate. Permanent. Verifiable at h33.ai/verify.

11. Algorithm Changes

H33 may update the scoring algorithm at any time. Substantive changes (weight modifications, new finding types, threshold changes) increment the algorithm version number and are documented on this page. Historical scores reflect the algorithm version active at time of scan. Scores are not retroactively updated.

This methodology is open for public audit. The formula, weights, thresholds, and finding type definitions are published here in full. The implementation (AST scanners, STARK proof generation, Dilithium signing) is proprietary. The methodology is transparent. The technology is licensed. Anyone can verify the math. The algorithm is the authority.

HICS performs automated pattern analysis. It is not a security audit, penetration test, or professional assessment of any kind. A high score does not mean your code is secure. A low score does not mean your code is insecure. Full terms: h33.ai/hics/terms