The 2038-Class Risk Exposure Matrix

A free, open framework for assessing systemic infrastructure risk — introduced through the 2038 time rollover (February 2026 release)

The 2038 problem is real — but it is also representative. It belongs to a broader class of risks where long-lived systems encounter hard boundaries: epoch rollovers, representation limits, protocol horizons, and assumptions that silently expire.

Most teams lack a consistent way to assess these exposures or to communicate them clearly to leadership. The Matrix exists to make risk comparable — not to make it look small.

The problem

Teams are routinely asked to reason about radically different exposures: a Kerberos edge case, a libc dependency, a vendor appliance, an embedded controller expected to run for thirty years.

Without a shared vocabulary, these risks don’t compare — and what doesn’t compare tends not to get funded, staffed, or scheduled.

The framework

The 2038-Class Risk Exposure Matrix evaluates four dimensions that recur across many kinds of systemic risk:

• Impact — If this fails, how bad is it?
• Uncertainty — Have you actually tested, or are you guessing?
• Difficulty — If you decided to fix it, could you?
• Blast radius — Does failure stay local, or cascade?

Each dimension is scored high / medium / low. The result is a compact assessment you can paste into a README, ticket, risk register, or leadership one-pager.

Although introduced through the lens of the 2038 time rollover, the Matrix is intentionally generic and has already proven useful for other boundary-driven and coordination-heavy risks.

The matrix at a glance

A 3×3 grid scores Impact, Uncertainty, and Difficulty. The surrounding rings encode blast radius — 📍 local, 🏭 sector-wide, or 🌍 cross-sector.

Together, these produce a compact badge format suitable for documentation, governance discussions, and cross-team comparison.

Emoji key

Each assessment compresses into a four-emoji string, always in the same order:

Impact ∷ Uncertainty ∷ Difficulty ∷ Blast radius

This makes exposures easy to compare across systems, teams, and documents — without forcing false precision.

On the emoji set. Some people love the emojis. Some people hate them. The point is not to be cute or to diminish the seriousness of the subject matter. The point is compression: a stable, low-friction way to carry a lot of cross-layer complexity through mixed audiences, messy documentation, and imperfect conditions — including the very real scenario of someone, somewhere, trying to interpret a vendor PDF in a second language under poor lighting and time pressure.

The emoji set has already changed once since the initial FOSDEM workshop, based on feedback and focused design sessions with subject matter experts deeply familiar with the practical challenges of cross-cultural risk communication and coordination.

Impact

Uncertainty

Difficulty

Blast radius

Examples

💥⁉️🛠️🌍

💥✅⛔🏭

⚠️⁉️⛔🏭

How to score a system

1. Pick one system or dependency and score it conservatively, one dimension at a time.
2. Start with Impact: if this fails, what is the worst credible outcome?
3. Then Uncertainty: have you actually tested this path, or are you inferring safety?
4. Next Difficulty: if you decided to fix it today, is there a realistic remediation path?
5. Finally Blast radius: if it fails, is it local, sector-wide, or cross-sector?
6. When in doubt, score toward higher risk — the matrix is designed to surface unknowns, not to prove safety.

The goal is not precision — it’s comparability across teams and systems.

Badge format (copy & paste)

Each assessment compresses into a four-emoji badge, always in the same order. The vocabulary is fixed; the ordering matters.

💥⁉️🛠️🌍

Impact ∷ Uncertainty ∷ Difficulty ∷ Blast radius

Paste this into a README, risk register, issue tracker, or one-pager for leadership. When sharing externally, link back to this page so the key is always available.

Workshop materials

• 30 slides with detailed facilitator notes
• Worked examples: Kerberos, glibc, satellites
• Discussion prompts and fallback questions
• Ministerial framing for governance decisions

Download workshop slides (.pptx, ~44MB) →
Download workshop slides (.pdf, ~29MB) →

Production note The slide deck includes some AI-generated graphics. I may replace them over time. My focus for this release was the facilitation plan, speaker notes, and making the kit usable end-to-end. This framework took roughly two weeks of concentrated work; I used Claude and ChatGPT as drafting assistants while keeping editorial responsibility for the content.

Call for beta testers I’m currently building a companion CC-BY executive briefing version of this workshop (30 minutes, with a facilitation plan) intended for C-suite and public-sector leadership rooms. I’m looking for a small, vetted set of reviewers to sanity-check the framing, language, and “what will get you laughed out of the room.” If you can help, please email me with your context and the kinds of stakeholders you regularly brief.

License

Licensed under Creative Commons CC-BY 4.0. Use it, remix it, or just borrow one slide — commercial use encouraged. Just give credit.

Suggested attribution:
“2038 Exposure Matrix — Proper Tools (Trey Darley), CC BY 4.0. Source: propertools.be/commons/2038-exposure-matrix/”

Want help?

If you'd like help running a tailored version for your team, that’s the kind of work Proper Tools does.

Get in touch →

Want a free 2038 Exposure Matrix sticker pack?

Send us your mailing address → and we’ll send you stickers. First-class mail, anywhere on Planet Earth^†. One per person. Teams, just ask^‡.

Please include your full name, where you work, the precise UTC ISO 8601 timestamp when 32-bit time_t rolls over in 2038, and exactly what we should write on the envelope for it to reach you.

Also, please put STICKER PACK REQUEST somewhere in the email subject so we can track your request.

If you throw in a solid album recommendation, we may throw in a little something extra to say “thanks”.

^† Some geopolitical exceptions may apply.
^‡ Best effort, while supplies last.

Acknowledgements and Origins

This framework was first presented as a structured BoF at FOSDEM 2026 in Brussels: "Pulling 32-bit time_t Asbestos out of the Open Source Ecosystem: Mapping, Triaging, and Coordinating 2038-class Rollover Remediation."

The session ran as a collaborative working session with a roomful of engineers, not a talk — built around a thought experiment: if your government demanded a credible 2038 exposure assessment in 12 weeks, where would you actually start? Distro maintainers, embedded developers, and infrastructure engineers worked through the framework together, shared inventories and remediation strategies, and surfaced coordination gaps.

The workshop materials published here are the facilitation kit from that session, refined based on feedback and released for reuse. They reflect my broader work with the FIRST Time Security SIG and the Epochalypse Project.