Risk vector grades are based on evidence of preventative implementations and/or the presence of vulnerabilities in a company’s infrastructure. When we have insufficient data to use as evidence, we assign a default risk vector grade. The threshold on what causes a default grade to be used varies by risk vector. In the case of the Web Application Security risk vector, a default grade of C is assigned if there are no findings (or only Neutral findings).
Why Aren’t Findings Being Detected?
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also detect and block external data gathering tools from getting any data.
A C grade is also assigned if a company’s performance in the risk vector is in the top 60% of all companies in the Bitsight inventory.
If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Feedback
0 comments
Please sign in to leave a comment.