In 2017, SecurityScorecard and more than two dozen other companies joined the U.S. Chamber of Commerce to establish a set of Principles for Fair and Accurate Security Ratings. These principles were created to increase confidence and transparency in security ratings.
This means: explaining how we calculate cybersecurity ratings, how we attribute IPs and domains to entities, make measurements, and score findings.
The vast majority of all the data we use for digital footprints and scoring is gathered through our own proprietary collection methods. We use very little OSINT (Open Source INTelligence) data and we only buy small amounts of data from other sources.
Users must be able to verify our attribution and findings. As an example, for SPF findings, we display the information we believe users need to find and fix the issue; the SPF issue itself, the domain the issue was seen on, and the last date the issue was observed.
Dispute, correct, and appeal
We provide a mechanism to dispute our findings, as well as IP or domain allocation. We also accept compensating controls which users put in place to mitigate findings; for example, managing the threat of a CVE.
Accuracy and validation
According to the U.S. Chamber of Commerce principles, cybersecurity ratings companies should provide validation of their methodologies and historical performance of their models.
SecurityScorecard commissioned a team of independent pentest experts to audit a sample of Scorecards to objectively determine the accuracy of our IP and domain attribution. The accuracy for positively attributing IP Addresses was found to be 94%, and for DNS Records it was found to be 100%.
The stability of our ratings is important to our users and to us. Normally, we provide 30 days or more advance notice of changes. However, occasionally there are acute threats (such as Log4j or OpenSSL 3.07) where we may introduce changes more rapidly.
Prior to releasing changes, we test for impact and we include customer-facing staff in our release process.
Every entity is scored in the same way, regardless of whether they’re a customer or not.
We respond to disputes regardless of whether they originate with a customer, a freemium user, or anyone else.
The presence or absence of commercial agreements does not impact our cybersecurity ratings or our dispute process.
We do not publish or otherwise distribute information that could aid bad actors or that could lead to a system compromise. We follow responsible disclosure rules.