Legacy Code
(based on Fefes Das nützlich-unbedenklich Spektrum )

Ownership, Contingency
O++  Public domain / MIT / Apache
O+   Copyleft
O    We own it. But if we go under, you get the source code.
O-   We own it. You get a license we can revoke any time.
O--  We own it. We don't sell it. You can only rent it.
!O   You use our appliance / cloud service.

Source Code:
S++  The source code is public and you can change it
S+   The source code is public
S    The source code leaked a while ago
S-   We let your goverment view the source code
S--  The source code is secret
!S   We lost the source code

Intent, Confidence:
I+++ I make actual guarantees
I++  I have done this multiple times before. I know what I'm doing
I+   I had to adapt the design a bit over time
I    I tried to avoid security bugs while writing this
I-   Look, they paid me to do this
I--  The guy left. Code now maintained by team on Sol3
!I   I have no idea what I'm doing

C+++ We have a correctness proof and you can understand/verify it
C++  We have a correctness proof
C+   No open bugs, 100% test coverage and we do regular code audits
C    We try to fix bugs that our users tell us about
C-   We have a bug backlog (bugwave)
C--  At some point we are planing to have a bug tracking system
!C   That's not really a bug, that's just a crash!

Engineering, Design:
E+++  Least Privilege, Privileage Separation, TCP minimized
E++   We sandbox ourselves away so nothing bad can happen
E     We try to detect bad arguments
E-    Well... we fix bugs. That's good, right?
E--   We just do what we are told. You call us wrong, that's on you!
E---  We run as root / in the kernel
E---- We sell it as an application so you don't see how bad it is
!E    We do a daily AI malware scan of our blockchain

M!   Author is Don Knuth / Dan Bernstein, makes no mistages
M+   Project is feature-complete, gets accasional security updates
M    Project gets updated regularly
M-   People send pull requests / patches to mailing list
M--  Vendor publishes quarterly patch roundup with 512 fixes each
M--- Author killed project. Unofficial forks / backups still around
!M   Author left / dead, project abandoned


V!   Software is perfect, needed no update since 1993
V++  Like V+ but has a way to notify you of new versions
V+   Regular patches and updates but you can't tell the difference
V-   Updateing is such a hassle that backporting patches is a thing
V--  The new version broke so much, most people use the old one
V--- Agile. 5 updates/day, half of them break produktion
!V   Support ended

Protocol / Spec
PS++  The spec is public, short and precise
PS    The spec is OK but interoperability is a bitch
PS-   The spec is to large, nobody implements all of it
PS--  The spec cannot be implemented securely
PS--- There is a spec but it's paywalled
!PS   The Author made it up as he went

D!    No dependencies. You boot our image directly.
D++   We depend only on things that come with the system/distribution
D+    We depend on ... see build requirements
D     We use somebody's Docker image from the internet
D-    We don't even have a list of dependencies
D--   We load extensions dynamically from the internet (without knowing what is needed overall)
D---  Uses vendor specific lock-in APIs/features