Why Is My TLS/SSL Certificates Grade a C When I Have No Findings? Jessica Risk vector grades are based on evidence of preventative implementations and/or the presence of vulnerabilities in a company’s infrastructure. When we have insufficient data to use as evidence, we assign a default risk vector grade. The threshold on what causes a default grade to be used varies by risk vector. In the case of the TLS/SSL Certificates risk vector, a default grade of C is assigned if there are no findings (or only Neutral findings). Why Aren’t Findings Being Detected? Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also detect and block external data gathering tools from getting any data. A C grade is also assigned if a company’s performance in the risk vector is in the top 60% of all companies in the Bitsight inventory. If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned. Resources TLS/SSL Certificates Risk Vector Risk Vector Grading with Insufficient Data November 22, 2024: Published. Related articles Why Is My Web Application Headers Grade a C When I Have No Findings? Why Is My DKIM Grade a C When I Have No Findings? How is the TLS/SSL Certificates Risk Vector Assessed? Certificate Authorities Finding Rescan: Asset Not Found and Assumed Remediated Feedback 0 comments Please sign in to leave a comment.