How we score our findings
Each finding is assigned a weight; the more serious the finding, the higher the weight it gets. We assign higher weights to findings that are more strongly correlated with breaches.
Learn more about our scoring methodology in this scoring whitepaper.
How we validate our findings
We use multiple mechanisms to check our data quality:
- We monitor corrections from our users, which we aim to keep below thresholds.
- We look for patterns in corrections to deal with any underlying issues.
- We spot check attribution and findings data.
Users need to validate that our findings, as well as our IP and domain attributions are accurate.
Scoring and attribution changes
In most circumstances, we will provide advance notice of changes, for example, we might introduce a new finding type as informational (unscored) some time prior to scoring it. Or we may provide a grace period before we score findings. However, in some cases we may introduce immediate scoring changes based on acute threats (such as Log4j.
Before changes are released, they go through a Change Control Board and undergo impact assessments.
For our major releases, we provide release notes on what the changes were. Read these release notes here: Release notes