Grace Period for Company-Provided Infrastructure

Once added, company-provided infrastructure does not impact your rating for a 60-day grace period and there’s no historical impact if the same or new observations come up after the grace period. During this time, you can preview findings for this infrastructure. This allows you to proactively remediate company-provided IPs and domains before they impact your rating.

Findings from new company-provided infrastructure are visible to third parties during the grace period. Once the grace period ends, third parties will see any new findings as they are observed.

You can opt out of the grace period when adding assets to your infrastructure.

• The grace period is honored even if our scans would have independently discovered the infrastructure after it was manually added. If we discover infrastructure that overlaps with an existing piece of company-provided infrastructure with a grace period, the start date will be no earlier than the company-provided one.
• Company-provided infrastructure with a grace period must always have a start date of “today”.
• If there is any overlapping infrastructure already present in a company’s ratings tree, a request to add company-provided infrastructure with a grace period will be rejected.

Finding Behavior During and After the Grace Period

A new finding that is observed during the grace period does not impact your rating. If the same finding is observed after the grace period ends, a new finding is created that affects the rating as if it was first seen after the grace period ended, without any historical impact. The lifetime of this finding begins when it is first observed after the grace period ends.

• Both findings will appear in their own rows in the Findings Table.
• The finding observed during the grace period does not impact your risk vector grade. Any eventual findings observed after the grace period will impact risk vector grades from the date they’re first seen after the grace period.
• Diligence findings observed before and after the grace period will have the same rolled up ID; Compromised Systems and User Behavior findings will have different rolled up IDs.

Grace Period in Cloud Infrastructure Sync

When a Cloud Infrastructure Sync connection is made, the infrastructure attributed to the self-published company you create as part of that connection receives a 60-day grace period. After the initial grace period ends, newly scanned infrastructure related to that connection is not subject to a grace period due to the dynamic nature of cloud infrastructure. The initial 60 day grace period should be sufficient to identify and remediate any findings that are recurrent.