Ratings Methodology
Learn about the BitSight ratings algorithm, including what goes into your BitSight Security Rating and how risk vectors are assessed.
- RAU 2023 Frequently Asked Questions
- How are Bitsight Security Ratings Calculated?
- What is a Bitsight Security Rating?
- How is an Enhanced Rating Calculated?
- How is the Compromised Systems Risk Category Calculated?
- How is the Diligence Risk Category Calculated?
- How is the User Behavior Risk Category Calculated?
- How is the Public Disclosures Risk Category Calculated?
- How are Bitsight Security Ratings calculated within parent-subsidiary relationships?
- Why Do Bitsight Security Ratings Fluctuate?
- Why do findings have a decay and lifetime period?
- How is the SPF Domains Risk Vector Assessed?
- How is the DKIM Records Risk Vector Assessed?
- How is the TLS/SSL Certificates Risk Vector Assessed?
- How is the TLS/SSL Configurations Risk Vector Assessed?
- How is the Open Ports Risk Vector Assessed?
- How is the Web Application Headers Risk Vector Assessed?
- Web Application Header Finding Grades
- What Content-Security-Policy (CSP) Directives are Assessed?
- How is the Patching Cadence Risk Vector Assessed?
- How is the Insecure Systems Risk Vector Assessed?
- How is the Server Software Risk Vector Assessed?
- OS & Browser Version Evaluation
- Software Support Life Cycle & End-of-Life Policy
- How is the Desktop Software Risk Vector Assessed?
- How is the Mobile Software Risk Vector Assessed?
- How is the DNSSEC Risk Vector Assessed?
- How is the Mobile Application Security Risk Vector Assessed?
- Web Application Security Assessment: Cross-Site Scripting
- Web Application Security Assessment: Components with Known Vulnerabilities