Glossary

The vocabulary behind a certified software valuation.

Plain-English definitions written for founders, investors, CIOs and legal counsel who need to understand what they are buying and how it works. Where a standard or framework is referenced, it is named so it can be verified independently.

Browse by category

Category

The Codeego Product.

Term	Definition
Certified Software Valuation	An independent, evidence-based assessment of a codebase that produces both a numeric score for the software's production readiness and a monetary range for its replacement value. Certified by a Trusted Third Party so the result carries weight in a deal, an audit or a dispute.
Codeego Code Score	The general name for the 0-100 metric produced by the Codeego Engine. The same metric appears as the Production Readiness Score in private customer reports and as the rank on the public Codeego Ranking.
Codeego Engine	The technology that runs the analysis: static measurement, AI-assisted reading and deterministic valuation. The same engine scores private codebases and the public Codeego Ranking entries.
Codeego Platform	The customer-facing application at app.codeego.com where assessments are commissioned, monitored and delivered.
Codeego Ranking	The public leaderboard of open source software projects analysed by the Codeego Engine. Projects opt-in to be included. Scores follow the same methodology as private customer valuations.
Compliance Report	A report shipped with Expert and Enterprise tiers that maps the assessment against industry security and process controls. Useful for buyers who need to evidence alignment with established frameworks.ReferencesOWASP ASVS, SOC 2
Continuous IP Custody	An ongoing variant of IP Custody offered to Enterprise customers. Maintains a continuous, version-by-version record of the codebase as it evolves, rather than a single point-in-time snapshot.
Economic Valuation	The monetary component of the Software Valuation Report. Translates the technical findings into a rebuild-cost or replacement-value range, adjusted for delivery scenario (in-house, nearshore, offshore) and AI tooling assumptions.
Evidence Certificate	A signed PDF proving the assessment was performed by the Codeego Engine on a specific codebase on a specific date, under a documented methodology. Included in every tier.
IP Custody	A service that preserves the codebase and the full assessment file (report, certificate, audit trail) in tamper-resistant long-term storage. Available from the Pro tier onwards.
IP Custody Certificate	The signed artefact that proves IP Custody was performed. Records the cryptographic fingerprint of the preserved files and the date they entered custody.
Production Readiness Score	The headline 0-100 number on every Codeego report. A single figure that summarises how ready a codebase is for production deployment. Computed by combining the seven scoring dimensions through a transparent, published formula.
Software Valuation Report	The complete deliverable a Codeego customer receives. Bundles four components: the Technical Valuation, the Economic Valuation, the Evidence Certificate and the IP Custody Certificate. Expert tier and above add a Compliance Report.
Technical Valuation	The scoring component of the Software Valuation Report. Contains the headline Production Readiness Score, the seven sub-scores, the strengths, the critical issues and the prioritised recommendations.

Certified Software Valuation: An independent, evidence-based assessment of a codebase that produces both a numeric score for the software's production readiness and a monetary range for its replacement value. Certified by a Trusted Third Party so the result carries weight in a deal, an audit or a dispute.
Codeego Code Score: The general name for the 0-100 metric produced by the Codeego Engine. The same metric appears as the Production Readiness Score in private customer reports and as the rank on the public Codeego Ranking.
Codeego Engine: The technology that runs the analysis: static measurement, AI-assisted reading and deterministic valuation. The same engine scores private codebases and the public Codeego Ranking entries.
Codeego Platform: The customer-facing application at app.codeego.com where assessments are commissioned, monitored and delivered.
Codeego Ranking: The public leaderboard of open source software projects analysed by the Codeego Engine. Projects opt-in to be included. Scores follow the same methodology as private customer valuations.
Compliance Report: A report shipped with Expert and Enterprise tiers that maps the assessment against industry security and process controls. Useful for buyers who need to evidence alignment with established frameworks.
Continuous IP Custody: An ongoing variant of IP Custody offered to Enterprise customers. Maintains a continuous, version-by-version record of the codebase as it evolves, rather than a single point-in-time snapshot.
Economic Valuation: The monetary component of the Software Valuation Report. Translates the technical findings into a rebuild-cost or replacement-value range, adjusted for delivery scenario (in-house, nearshore, offshore) and AI tooling assumptions.
Evidence Certificate: A signed PDF proving the assessment was performed by the Codeego Engine on a specific codebase on a specific date, under a documented methodology. Included in every tier.
IP Custody: A service that preserves the codebase and the full assessment file (report, certificate, audit trail) in tamper-resistant long-term storage. Available from the Pro tier onwards.
IP Custody Certificate: The signed artefact that proves IP Custody was performed. Records the cryptographic fingerprint of the preserved files and the date they entered custody.
Production Readiness Score: The headline 0-100 number on every Codeego report. A single figure that summarises how ready a codebase is for production deployment. Computed by combining the seven scoring dimensions through a transparent, published formula.
Software Valuation Report: The complete deliverable a Codeego customer receives. Bundles four components: the Technical Valuation, the Economic Valuation, the Evidence Certificate and the IP Custody Certificate. Expert tier and above add a Compliance Report.
Technical Valuation: The scoring component of the Software Valuation Report. Contains the headline Production Readiness Score, the seven sub-scores, the strengths, the critical issues and the prioritised recommendations.

Category

The Methodology.

Term	Definition
AI-Assisted Reading	The third stage. A large language model reads through the code the way a senior engineer would in a code review: identifies strengths, weaknesses, security concerns and architectural choices. The AI describes; the maths decides.
Code Quality (dimension)	One of the seven scoring dimensions. Measures structure, readability, type safety, complexity and maintainability of the codebase.
Dependencies (dimension)	One of the seven scoring dimensions. Measures the health, freshness, license compatibility and known-vulnerability status of the external libraries a codebase relies on.
Deterministic Valuation	The fourth stage, and the core proof claim. Hours, costs and scores are computed by a transparent formula that combines the static measurements, the AI signals and market rates. The same code in produces the same numbers out. Every input, prompt and parameter is versioned for reproducibility.
Documentation (dimension)	One of the seven scoring dimensions. Measures coverage and accuracy of READMEs, API references, examples and architectural documentation.
Error Handling (dimension)	One of the seven scoring dimensions. Measures the consistency and discipline of how the codebase handles failures: exception hierarchies, recovery patterns, retry policies, circuit breakers.
Observability (dimension)	One of the seven scoring dimensions. Measures the codebase's logging, metrics and tracing facilities. A well-observed system can be debugged in production; a poorly observed one cannot.
Score Bands	The four plain-English labels Codeego applies to scores. Excellent: 90-100. Good: 75-89. Acceptable: 60-74. Weak: below 60. Used on every Codeego deliverable and on the public Codeego Ranking.
Secure Ingestion	The first stage of the Codeego method. The codebase is uploaded or pulled via short-lived Git credentials into an isolated workspace. On Starter, the working copy is discarded after the assessment; from Pro upwards, it is sealed and held in IP Custody.
Security (dimension)	One of the seven scoring dimensions. Measures security practices in the code: dependency vulnerabilities, secrets management, input validation and the presence of automated security scanning in the build pipeline.ReferencesOWASP ASVS
Seven Dimensions	The seven categories that make up the Production Readiness Score. Each is scored 0-100 independently before being weighted and combined: Security, Code Quality, Dependencies, Documentation, Observability, Test Coverage, Error Handling.
Static Measurement	The second stage. Counts files, lines of code, languages, dependencies and complexity. Facts, not opinions. Forms the skeleton of the valuation.
Test Coverage (dimension)	One of the seven scoring dimensions. Measures the breadth and depth of the codebase's automated test suite and its integration into the build pipeline.

AI-Assisted Reading: The third stage. A large language model reads through the code the way a senior engineer would in a code review: identifies strengths, weaknesses, security concerns and architectural choices. The AI describes; the maths decides.
Code Quality (dimension): One of the seven scoring dimensions. Measures structure, readability, type safety, complexity and maintainability of the codebase.
Dependencies (dimension): One of the seven scoring dimensions. Measures the health, freshness, license compatibility and known-vulnerability status of the external libraries a codebase relies on.
Deterministic Valuation: The fourth stage, and the core proof claim. Hours, costs and scores are computed by a transparent formula that combines the static measurements, the AI signals and market rates. The same code in produces the same numbers out. Every input, prompt and parameter is versioned for reproducibility.
Documentation (dimension): One of the seven scoring dimensions. Measures coverage and accuracy of READMEs, API references, examples and architectural documentation.
Error Handling (dimension): One of the seven scoring dimensions. Measures the consistency and discipline of how the codebase handles failures: exception hierarchies, recovery patterns, retry policies, circuit breakers.
Observability (dimension): One of the seven scoring dimensions. Measures the codebase's logging, metrics and tracing facilities. A well-observed system can be debugged in production; a poorly observed one cannot.
Score Bands: The four plain-English labels Codeego applies to scores. Excellent: 90-100. Good: 75-89. Acceptable: 60-74. Weak: below 60. Used on every Codeego deliverable and on the public Codeego Ranking.
Secure Ingestion: The first stage of the Codeego method. The codebase is uploaded or pulled via short-lived Git credentials into an isolated workspace. On Starter, the working copy is discarded after the assessment; from Pro upwards, it is sealed and held in IP Custody.
Security (dimension): One of the seven scoring dimensions. Measures security practices in the code: dependency vulnerabilities, secrets management, input validation and the presence of automated security scanning in the build pipeline.
Seven Dimensions: The seven categories that make up the Production Readiness Score. Each is scored 0-100 independently before being weighted and combined: Security, Code Quality, Dependencies, Documentation, Observability, Test Coverage, Error Handling.
Static Measurement: The second stage. Counts files, lines of code, languages, dependencies and complexity. Facts, not opinions. Forms the skeleton of the valuation.
Test Coverage (dimension): One of the seven scoring dimensions. Measures the breadth and depth of the codebase's automated test suite and its integration into the build pipeline.

Category

Trust & Security.

Term	Definition
Audit trail	A time-stamped, tamper-resistant record of every action taken during an assessment. Every event is hashed, signed, and chained to the next, so any later modification breaks the chain and is detectable.
Chain of custody	An unbroken, traceable record of every party that has handled an artefact and every action that has been taken with it. Codeego maintains a continuous chain of custody from code ingestion through to certificate signing, so the lifecycle of every assessment can be replayed and verified.
Confidential Computing	An umbrella term for techniques that protect data in use, not just data at rest or in transit. Codeego uses Confidential Computing (specifically TEEs) for the highest-assurance assessments.
Cryptographic fingerprinting	A method of generating a unique, fixed-length identifier (a hash) from a piece of code. Any change to the code, however small, produces a completely different fingerprint. Codeego fingerprints every codebase at ingestion so its integrity can be verified at any later date.ReferencesSHA-256
Post-quantum cryptography	Cryptographic methods designed to remain secure against attacks from future quantum computers. Codeego uses post-quantum cryptography to protect codebases and assessments held in long-term IP Custody.ReferencesNIST PQC standardisation programme
Trusted Execution Environment (TEE)	A hardware-isolated area inside a processor where code and data are processed under cryptographic protection, even from the host operating system. Codeego uses TEEs for confidential analysis when sensitive code requires extra isolation.ReferencesConfidential Computing Consortium
Trusted Third Party	An independent party that vouches for the integrity of the assessment, separate from the buyer, the seller and the team that wrote the code. Codeego operates under this model so the valuation cannot be tilted by anyone with a stake in the outcome.
Zero Trust	An access architecture in which nothing is trusted by default, including the people and systems inside the network. Codeego applies it to source code: every interaction is scoped, time-bound and audited. There is no system, runtime or production access.ReferencesNIST SP 800-207

Audit trail: A time-stamped, tamper-resistant record of every action taken during an assessment. Every event is hashed, signed, and chained to the next, so any later modification breaks the chain and is detectable.
Chain of custody: An unbroken, traceable record of every party that has handled an artefact and every action that has been taken with it. Codeego maintains a continuous chain of custody from code ingestion through to certificate signing, so the lifecycle of every assessment can be replayed and verified.
Confidential Computing: An umbrella term for techniques that protect data in use, not just data at rest or in transit. Codeego uses Confidential Computing (specifically TEEs) for the highest-assurance assessments.
Cryptographic fingerprinting: A method of generating a unique, fixed-length identifier (a hash) from a piece of code. Any change to the code, however small, produces a completely different fingerprint. Codeego fingerprints every codebase at ingestion so its integrity can be verified at any later date.
Post-quantum cryptography: Cryptographic methods designed to remain secure against attacks from future quantum computers. Codeego uses post-quantum cryptography to protect codebases and assessments held in long-term IP Custody.
Trusted Execution Environment (TEE): A hardware-isolated area inside a processor where code and data are processed under cryptographic protection, even from the host operating system. Codeego uses TEEs for confidential analysis when sensitive code requires extra isolation.
Trusted Third Party: An independent party that vouches for the integrity of the assessment, separate from the buyer, the seller and the team that wrote the code. Codeego operates under this model so the valuation cannot be tilted by anyone with a stake in the outcome.
Zero Trust: An access architecture in which nothing is trusted by default, including the people and systems inside the network. Codeego applies it to source code: every interaction is scoped, time-bound and audited. There is no system, runtime or production access.

Category

Standards & Frameworks.

Term	Definition
CAdES	CMS Advanced Electronic Signatures. A standard for advanced digital signatures based on Cryptographic Message Syntax (CMS, defined in IETF RFC 5652). CAdES extends CMS to meet eIDAS requirements for advanced and qualified electronic signatures, providing long-term validity, integrity protection and cross-border signature verification.ReferencesETSI EN 319 122 / IETF RFC 5652
DORA	The EU Digital Operational Resilience Act. Requires financial entities to manage information and communications technology risk, including risk from third-party software. Codeego provides independent technical evidence relevant to DORA compliance.
MiCA	The EU Markets in Crypto-Assets Regulation. The framework for crypto-asset service providers in the European Union. Codeego provides certified technical assessments relevant to MiCA documentation requirements.
MiFID II	The EU Markets in Financial Instruments Directive II. The regulation governing investment firms and trading venues in the European Union. Codeego provides certified assessments useful to firms documenting their software estate under MiFID II.
NIST SP 800-207	The US National Institute of Standards and Technology's special publication defining Zero Trust Architecture. Codeego's access model follows the principles set out in this document.Referencesnist.gov
OWASP ASVS	The Application Security Verification Standard from the Open Web Application Security Project. An open, widely-adopted framework defining security requirements for web applications. Codeego's Compliance Report maps the codebase against ASVS controls.Referencesowasp.org/ASVS
Qualified Electronic Signature (QES)	Under eIDAS, the highest legal tier of electronic signature in the European Union. A QES carries the same legal weight as a handwritten signature and is admissible as evidence in legal proceedings across all EU member states. Requires a qualified certificate issued by a Qualified Trust Service Provider and creation using a qualified signature creation device.ReferenceseIDAS Article 3(12), Article 25
Qualified Trust Service Provider (QTSP)	Under eIDAS, an organisation authorised by an EU member state's supervisory body to provide qualified trust services such as issuing qualified certificates, qualified electronic signatures, qualified timestamps and qualified preservation services. QTSPs appear on national trusted lists, and their qualified services carry presumed legal validity across the EU.ReferenceseIDAS Article 3(20), Article 17
RFC 3161	The internet standard for trusted timestamping. Defines how a Time Stamping Authority issues a signed proof that a specific document existed at a specific moment. Codeego uses RFC 3161 timestamps on certificates so the date of issue cannot be challenged later.ReferencesIETF RFC 3161
Regulation (EU) No 910/2014	The formal name of the eIDAS Regulation. Came into force in July 2014 and established a single legal framework across the EU for electronic identification, authentication and trust services. Cited on the Evidence Certificate to indicate the regulatory basis under which the qualified trust services are delivered.ReferencesOfficial Journal of the EU, L 257
SHA-256	A cryptographic hash function from the SHA-2 family that produces a 256-bit fingerprint of any input. Used by Codeego to fingerprint codebases and to chain audit trail events.ReferencesFIPS 180-4
SOC 2	A reporting framework developed by the American Institute of CPAs that evaluates a service organisation's controls over security, availability, processing integrity, confidentiality and privacy. Codeego's Compliance Report aligns the assessment with SOC 2 criteria.Referencesaicpa.org/SOC
X.509	The international standard defining the format of digital certificates. Codeego's signed deliverables use X.509 certificates so signatures can be verified using any standard PKI tooling.ReferencesITU-T X.509 / RFC 5280
eIDAS	The European Union regulation governing electronic identification and trust services for electronic transactions in the EU's internal market. Provides the legal framework for qualified trust services, qualified electronic signatures and qualified trust service providers across all EU member states. May appear in references on the Evidence Certificate.ReferencesRegulation (EU) No 910/2014

CAdES: CMS Advanced Electronic Signatures. A standard for advanced digital signatures based on Cryptographic Message Syntax (CMS, defined in IETF RFC 5652). CAdES extends CMS to meet eIDAS requirements for advanced and qualified electronic signatures, providing long-term validity, integrity protection and cross-border signature verification.
DORA: The EU Digital Operational Resilience Act. Requires financial entities to manage information and communications technology risk, including risk from third-party software. Codeego provides independent technical evidence relevant to DORA compliance.
MiCA: The EU Markets in Crypto-Assets Regulation. The framework for crypto-asset service providers in the European Union. Codeego provides certified technical assessments relevant to MiCA documentation requirements.
MiFID II: The EU Markets in Financial Instruments Directive II. The regulation governing investment firms and trading venues in the European Union. Codeego provides certified assessments useful to firms documenting their software estate under MiFID II.
NIST SP 800-207: The US National Institute of Standards and Technology's special publication defining Zero Trust Architecture. Codeego's access model follows the principles set out in this document.
OWASP ASVS: The Application Security Verification Standard from the Open Web Application Security Project. An open, widely-adopted framework defining security requirements for web applications. Codeego's Compliance Report maps the codebase against ASVS controls.
Qualified Electronic Signature (QES): Under eIDAS, the highest legal tier of electronic signature in the European Union. A QES carries the same legal weight as a handwritten signature and is admissible as evidence in legal proceedings across all EU member states. Requires a qualified certificate issued by a Qualified Trust Service Provider and creation using a qualified signature creation device.
Qualified Trust Service Provider (QTSP): Under eIDAS, an organisation authorised by an EU member state's supervisory body to provide qualified trust services such as issuing qualified certificates, qualified electronic signatures, qualified timestamps and qualified preservation services. QTSPs appear on national trusted lists, and their qualified services carry presumed legal validity across the EU.
RFC 3161: The internet standard for trusted timestamping. Defines how a Time Stamping Authority issues a signed proof that a specific document existed at a specific moment. Codeego uses RFC 3161 timestamps on certificates so the date of issue cannot be challenged later.
Regulation (EU) No 910/2014: The formal name of the eIDAS Regulation. Came into force in July 2014 and established a single legal framework across the EU for electronic identification, authentication and trust services. Cited on the Evidence Certificate to indicate the regulatory basis under which the qualified trust services are delivered.
SHA-256: A cryptographic hash function from the SHA-2 family that produces a 256-bit fingerprint of any input. Used by Codeego to fingerprint codebases and to chain audit trail events.
SOC 2: A reporting framework developed by the American Institute of CPAs that evaluates a service organisation's controls over security, availability, processing integrity, confidentiality and privacy. Codeego's Compliance Report aligns the assessment with SOC 2 criteria.
X.509: The international standard defining the format of digital certificates. Codeego's signed deliverables use X.509 certificates so signatures can be verified using any standard PKI tooling.
eIDAS: The European Union regulation governing electronic identification and trust services for electronic transactions in the EU's internal market. Provides the legal framework for qualified trust services, qualified electronic signatures and qualified trust service providers across all EU member states. May appear in references on the Evidence Certificate.

Category

Technical Terms.

Term	Definition
CI/CD	Continuous Integration and Continuous Deployment. Automated pipelines that build, test and ship software whenever changes are committed. Codeego inspects the configuration of CI/CD pipelines in a repository, but does not access or run them.
Codebase	The full body of source code, structure, dependencies and version history that makes up a software product. This is what Codeego analyses.
DAST	Dynamic Application Security Testing. The practice of testing a running application for security flaws from the outside. Distinct from SAST because it requires the software to be executing.
Large Language Model (LLM)	An AI system trained on large volumes of text and code, able to read and explain software at near-human quality. Codeego uses an LLM in the AI-Assisted Reading stage, bounded so that prompts, parameters and inputs are versioned for reproducibility.
Lines of Code (LOC)	A simple measure of the size of a codebase. One of several inputs into Codeego's effort and cost estimation, alongside language mix, complexity and architecture.
Repository	The storage location, typically Git-based (hosted on GitHub, GitLab, Bitbucket or similar), where source code is kept and version-controlled. Codeego ingests from the repository, then analyses an isolated working copy.
SAST	Static Application Security Testing. The practice of analysing source code for security flaws without running it. Codeego performs SAST-style analysis as part of the Security scoring dimension.
Source code	The human-readable text files that programmers write to define how a piece of software behaves. The raw input to the Codeego Engine.

CI/CD: Continuous Integration and Continuous Deployment. Automated pipelines that build, test and ship software whenever changes are committed. Codeego inspects the configuration of CI/CD pipelines in a repository, but does not access or run them.
Codebase: The full body of source code, structure, dependencies and version history that makes up a software product. This is what Codeego analyses.
DAST: Dynamic Application Security Testing. The practice of testing a running application for security flaws from the outside. Distinct from SAST because it requires the software to be executing.
Large Language Model (LLM): An AI system trained on large volumes of text and code, able to read and explain software at near-human quality. Codeego uses an LLM in the AI-Assisted Reading stage, bounded so that prompts, parameters and inputs are versioned for reproducibility.
Lines of Code (LOC): A simple measure of the size of a codebase. One of several inputs into Codeego's effort and cost estimation, alongside language mix, complexity and architecture.
Repository: The storage location, typically Git-based (hosted on GitHub, GitLab, Bitbucket or similar), where source code is kept and version-controlled. Codeego ingests from the repository, then analyses an isolated working copy.
SAST: Static Application Security Testing. The practice of analysing source code for security flaws without running it. Codeego performs SAST-style analysis as part of the Security scoring dimension.
Source code: The human-readable text files that programmers write to define how a piece of software behaves. The raw input to the Codeego Engine.

Category

Business Terms.

Term	Definition
Due Diligence (DD)	The investigative process a buyer, investor or partner runs before committing to a transaction. Technical Due Diligence is the software-focused subset.
Intellectual Property (IP)	The legal rights attached to a creation of the mind, including software. Codeego treats source code as IP, providing independently-certified evidence of its existence, content and ownership at a specific point in time.
M&A	Mergers and Acquisitions. The corporate activity of buying, selling or combining companies. Software valuations are routinely commissioned during M&A processes to ground the deal on independent technical evidence.
Technical Due Diligence	The investigation a prospective buyer or investor runs to verify the technical claims and quality of a software asset before a deal closes. Codeego provides the evidence-based technical layer of this process, in under 20 minutes.

Due Diligence (DD): The investigative process a buyer, investor or partner runs before committing to a transaction. Technical Due Diligence is the software-focused subset.
Intellectual Property (IP): The legal rights attached to a creation of the mind, including software. Codeego treats source code as IP, providing independently-certified evidence of its existence, content and ownership at a specific point in time.
M&A: Mergers and Acquisitions. The corporate activity of buying, selling or combining companies. Software valuations are routinely commissioned during M&A processes to ground the deal on independent technical evidence.
Technical Due Diligence: The investigation a prospective buyer or investor runs to verify the technical claims and quality of a software asset before a deal closes. Codeego provides the evidence-based technical layer of this process, in under 20 minutes.