Principles

In 2017, SecurityScorecard and more than two dozen other companies joined the U.S. Chamber of Commerce to establish a set of Principles for Fair and Accurate Security Ratings. These principles were created to increase confidence and transparency in security ratings.

View the Principles

Transparency

This means: explaining how we calculate cybersecurity ratings, how we attribute IPs and domains to entities, make measurements, and score findings.

The vast majority of all the data we use for digital footprints and scoring is gathered through our own proprietary collection methods. We use very little OSINT (Open Source INTelligence) data and we only buy small amounts of data from other sources.

Users must be able to verify our attribution and findings. As an example, for SPF findings, we display the information we believe users need to find and fix the issue; the SPF issue itself, the domain the issue was seen on, and the last date the issue was observed.

Visit the Methodology section for more information about our scoring process and data collection >

Dispute, correct, and appeal

We provide a mechanism to dispute our findings, as well as IP or domain allocation. We also accept compensating controls which users put in place to mitigate findings; for example, managing the threat of a CVE.

Visit the Corrections section to read more about the dispute process. >

Visit the Metrics section to learn more about our accuracy and to find out how long we take to resolve issues. >

Accuracy and validation

According to the U.S. Chamber of Commerce principles, cybersecurity ratings companies should provide validation of their methodologies and historical performance of their models.

SecurityScorecard commissioned a team of independent pentest experts to audit a sample of Scorecards to objectively determine the accuracy of our IP and domain attribution. The accuracy for positively attributing IP Addresses was found to be 94%, and for DNS Records it was found to be 100%.

Read the report here. >

Visit the Methodology section to read more about our validation. >

Visit the Metrics section to see the historical performance of our models. >

Model governance

The stability of our ratings is important to our users and to us. Normally, we provide 30 days or more advance notice of changes. However, occasionally there are acute threats (such as Log4j or OpenSSL 3.07) where we may introduce changes more rapidly.

Prior to releasing changes, we test for impact and we include customer-facing staff in our release process.

Independence

Every entity is scored in the same way, regardless of whether they’re a customer or not.

We respond to disputes regardless of whether they originate with a customer, a freemium user, or anyone else.

The presence or absence of commercial agreements does not impact our cybersecurity ratings or our dispute process.

Confidentiality

We do not publish or otherwise distribute information that could aid bad actors or that could lead to a system compromise. We follow responsible disclosure rules.

PRODUCTS

BUY NOW

SERVICES NEW

Under Cyber attack?

BY USE CASE

BY INDUSTRY

Help your organization calculate its risk

OUR CUSTOMERS

SUCCESS AND SUPPORT

COMMUNITY

Understand and reduce risk with SecurityScorecard.

Partner Program Overview

RESOURCES

TOOLS AND DOCUMENTATION

Trust begins with transparency. Take a look at the data that drives our ratings.

Working at SecurityScorecard