The 2038-Class Risk Exposure Matrix
A free, open framework for assessing systemic infrastructure risk — introduced through the 2038 time rollover (February 2026 release)
The 2038 problem is real — but it is also representative. It belongs to a broader class of risks where long-lived systems encounter hard boundaries: epoch rollovers, representation limits, protocol horizons, and assumptions that silently expire.
Most teams lack a consistent way to assess these exposures or to communicate them clearly to leadership. The Matrix exists to make risk comparable — not to make it look small.
The problem
Teams are routinely asked to reason about radically different exposures: a Kerberos edge case, a libc dependency, a vendor appliance, an embedded controller expected to run for thirty years.
Without a shared vocabulary, these risks don’t compare — and what doesn’t compare tends not to get funded, staffed, or scheduled.
The framework
The 2038-Class Risk Exposure Matrix evaluates four dimensions that recur across many kinds of systemic risk:
- Impact — If this fails, how bad is it?
- Uncertainty — Have you actually tested, or are you guessing?
- Difficulty — If you decided to fix it, could you?
- Blast radius — Does failure stay local, or cascade?
Each dimension is scored high / medium / low. The result is a compact assessment you can paste into a README, ticket, risk register, or leadership one-pager.
Although introduced through the lens of the 2038 time rollover, the Matrix is intentionally generic and has already proven useful for other boundary-driven and coordination-heavy risks.
The matrix at a glance
A 3×3 grid scores Impact, Uncertainty, and Difficulty. The surrounding rings encode blast radius — 📍 local, 🏭 sector-wide, or 🌍 cross-sector.
Together, these produce a compact badge format suitable for documentation, governance discussions, and cross-team comparison.
💥 ⁉️ ⛔ 🌍
Impact · Uncertainty · Difficulty · Blast radius
Emoji key
Each assessment compresses into a four-emoji string, always in the same order:
Impact · Uncertainty · Difficulty · Blast radius
This makes exposures easy to compare across systems, teams, and documents — without forcing false precision.
Impact
| Level | Emoji | Meaning |
|---|---|---|
| High | 💥 | Crisis — loss of life, safety, or critical function |
| Medium | ⚠️ | Serious — major disruption requiring coordinated response |
| Low | 🥱 | Annoying — limited consequence, not urgent |
Uncertainty
| Level | Emoji | Meaning |
|---|---|---|
| High | ⁉️ | Guessing — not tested, unknown behavior |
| Medium | 🔬 | Partial view — some testing, gaps remain |
| Low | ✅ | Confident — tested, audited, understood |
Difficulty
| Level | Emoji | Meaning |
|---|---|---|
| High | ⛔ | Blocked — no viable fix exists, or infeasible in practice |
| Medium | 🛠️ | Hard work — fixable with significant effort and coordination |
| Low | 🛝 | Tractable — straightforward with available resources |
Blast radius
| Scope | Emoji | Meaning |
|---|---|---|
| Cross-sector | 🌍 | Systemic — cascades across sectors and shared dependencies |
| Sector-wide | 🏭 | Spreading — impacts an industry or ecosystem |
| Local | 📍 | Contained — isolated to a single system, site, or dependency |
Examples
| System | Badge | Reading |
|---|---|---|
| Kerberos | 💥⁉️🛠️🌍 |
High impact, high uncertainty, medium difficulty, cross-sector |
| glibc | 💥✅⛔🏭 |
High impact, low uncertainty, high difficulty, sector-wide |
| Satellites | ⚠️⁉️⛔🏭 |
Medium impact, high uncertainty, high difficulty, sector-wide |
How to score a system
- Pick one system or dependency and score it conservatively, one dimension at a time.
- Start with Impact: if this fails, what is the worst credible outcome?
- Then Uncertainty: have you actually tested this path, or are you inferring safety?
- Next Difficulty: if you decided to fix it today, is there a realistic remediation path?
- Finally Blast radius: if it fails, is it local, sector-wide, or cross-sector?
- When in doubt, score toward higher risk — the matrix is designed to surface unknowns, not to prove safety.
The goal is not precision — it’s comparability across teams and systems.
Badge format (copy & paste)
Each assessment compresses into a four-emoji badge, always in the same order. The vocabulary is fixed; the ordering matters.
💥⁉️🛠️🌍
Impact · Uncertainty · Difficulty · Blast radius
Paste this into a README, risk register, issue tracker, or one-pager for leadership. When sharing externally, link back to this page so the key is always available.
Workshop materials
- 30 slides with detailed facilitator notes
- Worked examples: Kerberos, glibc, satellites
- Discussion prompts and fallback questions
- Ministerial framing for governance decisions
Download workshop slides (.pptx, ~44MB) →
Download workshop slides (.pdf, ~29MB) →
License
Licensed under CC BY 4.0. Ship it, remix it, adapt it — commercial use encouraged. Just give credit.
Suggested attribution:
“2038 Exposure Matrix — Proper Tools (Trey Darley), CC BY 4.0. Source: propertools.be/commons/2038-exposure-matrix/”
Want help?
If you'd like help running a tailored version for your team, that’s the kind of work Proper Tools does.
Want a free 2038 Exposure Matrix sticker pack?
Send us your mailing address → and we’ll send you stickers. First-class mail, anywhere on Planet Earth†. One per person. Teams, just ask‡.
Please include your full name, where you work, the precise UTC ISO 8601 timestamp when 32-bit
time_t rolls over in 2038, and exactly what we should write on the envelope for it to reach you.
Also, please put STICKER PACK REQUEST somewhere in the email subject so we can track your request.
If you throw in a solid album recommendation, we may throw in a little something extra to say “thanks”.
† Some geopolitical exceptions may apply.
‡ Best effort, while supplies last.
Acknowledgements and Origins
This framework was first presented at FOSDEM 2026. It is part of the broader work of the FIRST Time Security SIG and the Epochalypse Project.