{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2019:GKS4APVFRCNX2NV4XFXS6CIMKW","short_pith_number":"pith:GKS4APVF","canonical_record":{"source":{"id":"1904.11052","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2019-04-24T20:18:59Z","cross_cats_sorted":[],"title_canon_sha256":"c9342a7fb72cd66c7f5a74dccd768dc65f7f799ae6af70222504cf5174a98e31","abstract_canon_sha256":"94b36f31c1b8bd65c80add3f678b3b382e8da2b29515e4cc58fe8e586f849bd9"},"schema_version":"1.0"},"canonical_sha256":"32a5c03ea5889b7d36bcb96f2f090c55b3874ff6e4e565255321da1284db672a","source":{"kind":"arxiv","id":"1904.11052","version":3},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1904.11052","created_at":"2026-05-17T23:45:22Z"},{"alias_kind":"arxiv_version","alias_value":"1904.11052v3","created_at":"2026-05-17T23:45:22Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1904.11052","created_at":"2026-05-17T23:45:22Z"},{"alias_kind":"pith_short_12","alias_value":"GKS4APVFRCNX","created_at":"2026-05-18T12:33:18Z"},{"alias_kind":"pith_short_16","alias_value":"GKS4APVFRCNX2NV4","created_at":"2026-05-18T12:33:18Z"},{"alias_kind":"pith_short_8","alias_value":"GKS4APVF","created_at":"2026-05-18T12:33:18Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2019:GKS4APVFRCNX2NV4XFXS6CIMKW","target":"record","payload":{"canonical_record":{"source":{"id":"1904.11052","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2019-04-24T20:18:59Z","cross_cats_sorted":[],"title_canon_sha256":"c9342a7fb72cd66c7f5a74dccd768dc65f7f799ae6af70222504cf5174a98e31","abstract_canon_sha256":"94b36f31c1b8bd65c80add3f678b3b382e8da2b29515e4cc58fe8e586f849bd9"},"schema_version":"1.0"},"canonical_sha256":"32a5c03ea5889b7d36bcb96f2f090c55b3874ff6e4e565255321da1284db672a","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-17T23:45:22.258749Z","signature_b64":"ok0WihKRrvSZBT6v6kAndLmabvsTpCrsFtQTl5uaLPMn8/9ZloFJfAGo1Y+PJW9/DjS8xxWB+yVP6wtEBPvkDA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"32a5c03ea5889b7d36bcb96f2f090c55b3874ff6e4e565255321da1284db672a","last_reissued_at":"2026-05-17T23:45:22.258327Z","signature_status":"signed_v1","first_computed_at":"2026-05-17T23:45:22.258327Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"1904.11052","source_version":3,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:45:22Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"UqD8SSHiUcIbCjvpLoMJqmqNwy16mZBLuCKouQzYT89NBTzbhtgyVm/E9waQqfGxKYTU0IPOR89BCf6zsJz2AA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-23T13:31:11.800038Z"},"content_sha256":"10e9c1fc4f902dbe53cff6c4628d2866f8981336986c45f49f35f3f6b373370a","schema_version":"1.0","event_id":"sha256:10e9c1fc4f902dbe53cff6c4628d2866f8981336986c45f49f35f3f6b373370a"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2019:GKS4APVFRCNX2NV4XFXS6CIMKW","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Risky Business: Assessing Security with External Measurements","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Benjamin Edwards, Jay Jacobs, Stephanie Forrest","submitted_at":"2019-04-24T20:18:59Z","abstract_excerpt":"Security practices in large organizations are notoriously difficult to assess. The challenge only increases when organizations turn to third parties to provide technology and business services, which typically require tight network integration and sharing of confidential data, potentially increasing the organization's attack surface. The security maturity of an organization describes how well it mitigates known risks and responds to new threats. Today, maturity is typically assessed with audits and questionnaires, which are difficult to quantify, lack objectivity, and may not reflect current t"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1904.11052","kind":"arxiv","version":3},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-17T23:45:22Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"/NrO6hIpWa3cgTNZE1S6X1k5UJDSkXcaRs4S2/6YRYzLRnDtISbSqbIm8EUATyvwPJKkF6RjPUybyUOUy/94Ag==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-23T13:31:11.800718Z"},"content_sha256":"3a2230b6aa23ad2bd4dbe908b8852812e41975fdd70532f2fa28ee6bbd56ee09","schema_version":"1.0","event_id":"sha256:3a2230b6aa23ad2bd4dbe908b8852812e41975fdd70532f2fa28ee6bbd56ee09"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/GKS4APVFRCNX2NV4XFXS6CIMKW/bundle.json","state_url":"https://pith.science/pith/GKS4APVFRCNX2NV4XFXS6CIMKW/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/GKS4APVFRCNX2NV4XFXS6CIMKW/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-23T13:31:11Z","links":{"resolver":"https://pith.science/pith/GKS4APVFRCNX2NV4XFXS6CIMKW","bundle":"https://pith.science/pith/GKS4APVFRCNX2NV4XFXS6CIMKW/bundle.json","state":"https://pith.science/pith/GKS4APVFRCNX2NV4XFXS6CIMKW/state.json","well_known_bundle":"https://pith.science/.well-known/pith/GKS4APVFRCNX2NV4XFXS6CIMKW/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2019:GKS4APVFRCNX2NV4XFXS6CIMKW","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"94b36f31c1b8bd65c80add3f678b3b382e8da2b29515e4cc58fe8e586f849bd9","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2019-04-24T20:18:59Z","title_canon_sha256":"c9342a7fb72cd66c7f5a74dccd768dc65f7f799ae6af70222504cf5174a98e31"},"schema_version":"1.0","source":{"id":"1904.11052","kind":"arxiv","version":3}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"1904.11052","created_at":"2026-05-17T23:45:22Z"},{"alias_kind":"arxiv_version","alias_value":"1904.11052v3","created_at":"2026-05-17T23:45:22Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1904.11052","created_at":"2026-05-17T23:45:22Z"},{"alias_kind":"pith_short_12","alias_value":"GKS4APVFRCNX","created_at":"2026-05-18T12:33:18Z"},{"alias_kind":"pith_short_16","alias_value":"GKS4APVFRCNX2NV4","created_at":"2026-05-18T12:33:18Z"},{"alias_kind":"pith_short_8","alias_value":"GKS4APVF","created_at":"2026-05-18T12:33:18Z"}],"graph_snapshots":[{"event_id":"sha256:3a2230b6aa23ad2bd4dbe908b8852812e41975fdd70532f2fa28ee6bbd56ee09","target":"graph","created_at":"2026-05-17T23:45:22Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"paper":{"abstract_excerpt":"Security practices in large organizations are notoriously difficult to assess. The challenge only increases when organizations turn to third parties to provide technology and business services, which typically require tight network integration and sharing of confidential data, potentially increasing the organization's attack surface. The security maturity of an organization describes how well it mitigates known risks and responds to new threats. Today, maturity is typically assessed with audits and questionnaires, which are difficult to quantify, lack objectivity, and may not reflect current t","authors_text":"Benjamin Edwards, Jay Jacobs, Stephanie Forrest","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2019-04-24T20:18:59Z","title":"Risky Business: Assessing Security with External Measurements"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"1904.11052","kind":"arxiv","version":3},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:10e9c1fc4f902dbe53cff6c4628d2866f8981336986c45f49f35f3f6b373370a","target":"record","created_at":"2026-05-17T23:45:22Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"94b36f31c1b8bd65c80add3f678b3b382e8da2b29515e4cc58fe8e586f849bd9","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2019-04-24T20:18:59Z","title_canon_sha256":"c9342a7fb72cd66c7f5a74dccd768dc65f7f799ae6af70222504cf5174a98e31"},"schema_version":"1.0","source":{"id":"1904.11052","kind":"arxiv","version":3}},"canonical_sha256":"32a5c03ea5889b7d36bcb96f2f090c55b3874ff6e4e565255321da1284db672a","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"32a5c03ea5889b7d36bcb96f2f090c55b3874ff6e4e565255321da1284db672a","first_computed_at":"2026-05-17T23:45:22.258327Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-17T23:45:22.258327Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"ok0WihKRrvSZBT6v6kAndLmabvsTpCrsFtQTl5uaLPMn8/9ZloFJfAGo1Y+PJW9/DjS8xxWB+yVP6wtEBPvkDA==","signature_status":"signed_v1","signed_at":"2026-05-17T23:45:22.258749Z","signed_message":"canonical_sha256_bytes"},"source_id":"1904.11052","source_kind":"arxiv","source_version":3}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:10e9c1fc4f902dbe53cff6c4628d2866f8981336986c45f49f35f3f6b373370a","sha256:3a2230b6aa23ad2bd4dbe908b8852812e41975fdd70532f2fa28ee6bbd56ee09"],"state_sha256":"56b9f9e05a751f9f07ad929dc84b4511bceebe660682b44c284809c5e747b617"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"8KFX2Ka4+hpnaZs8JHUmWLbOF0LqHMHSjLoTbosAcfgud72S9MEV3ztSL9aDlQy6kuwayhe0teolPl20ZNG6DQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-23T13:31:11.804649Z","bundle_sha256":"205b1581a52ba88456bf672cad8071ded1eb3c0c9d5c882369431ad5ca1b203d"}}