Search for a command to run...
Brain-computer interfaces (BCIs) are transitioning from experimental neuroscience tools to commercially deployed medical devices, with companies including Neuralink, Synchron, Blackrock Neurotech, and Paradromics advancing toward regulatory approval and new entrants such as Merge Labs raising $252M in seed funding. Yet no security framework exists that accounts for the unique risks of devices that read and write neural signals. The Common Vulnerability Scoring System (CVSS v4.0), the industry standard for vulnerability assessment, cannot express biological tissue damage, cognitive integrity violations, consent boundaries, damage reversibility, or neuroplastic consequences—dimensions critical to neural device security. We present an integrated security framework comprising four contributions: (1) an 11-band hourglass architecture mapping attack surfaces from neocortex to wireless radio across neural, interface, and synthetic zones; (2) TARA, a threat taxonomy of 109 techniques across 15 tactics and 8 domains, each classified by status, severity, and dual-use therapeutic potential; (3) NISS, the Neural Impact Scoring System—a CVSS v4.0 extension adding six neural-specific metrics (Biological Impact, Cognitive Reconnaissance, Cognitive Disruption, Consent Violation, Reversibility, Neuroplasticity) designed to conform with FIRST.org's official extension mechanism; and (4) the Neural Impact Chain, a methodology mapping security vulnerabilities to DSM-5-TR psychiatric diagnoses through a six-stage pipeline. Analysis of all 109 techniques reveals that 99.1% require NISS extension metrics that CVSS cannot express. The Neural Impact Chain maps all techniques to 15 unique DSM-5-TR diagnostic codes across 5 psychiatric clusters, with 51 techniques posing direct diagnostic risk. The framework identifies 77 techniques (75.5%) with confirmed, probable, or possible therapeutic analogs, establishing a dual-use atlas where every attack mechanism that can harm neural tissue has a corresponding clinical application. The complete framework, threat registry, and scoring system are released as open source under the Apache 2.0 license. Version 1.5 expands the TARA registry from 102 to 109 techniques, splits the NISS Cognitive Integrity (CG) metric into Cognitive Reconnaissance (CR) and Cognitive Disruption (CD) to distinguish read vs. write attacks (NISS v1.1, six metrics), normalizes default weights (w_CR = w_CD = 0.5, others = 1.0) to preserve the cognitive dimension at its pre-split 20% share, updates all statistics and tables to reflect the expanded registry, and adds neurorights dimension mapping for 103 of 109 techniques.