When you fix a vulnerability on your website, remove an asset, or resolve a finding, you expect your scorecard to update right away. Often it doesn't change immediately, and sometimes a finding even reappears. This is usually expected behavior. This article explains the common reasons your score or findings don't change after you take action, and what you can do to speed things up.
Scores update on a daily cycle, not instantly
SecurityScorecard gathers and compiles data daily, and any change to a Scorecard is first calculated and then published to the platform before it becomes visible. As a result, there is up to a 48–hour delay between when a change occurs and when it appears in your score. The date shown on the platform (the scoring date or effective date) lags a few days behind the current date for this reason. For a full explanation of this timing, see What is a Scoring Date?
You fixed an issue, but the finding or score doesn't change
When you make changes to your website or other assets and fix a vulnerability, the related finding does not immediately drop off. If you take no further action, findings age out (decay) on their own only after the platform stops re-observing them. This decay period varies by issue type, and most findings decay after 45 days without a new observation. The full list of decay periods by issue type appears in the Scoring Methodology paper.
To remove a fixed finding sooner, submit a remediation request via the Issues tab in your Scorecard instead of waiting for it to decay. The process is described in Address issue findings in your Scorecard.
A finding shows as "Resolved" but still appears under Open issues
After your remediation request is approved, the finding stays under Open issues with a "Resolved" status for a few days. This status means the finding is approved for removal but is pending removal from the Scorecard. The finding drops off only after the updated Scorecard is recalculated and published, which usually takes up to 48 hours from the date of approval. There is currently no way to force the removal faster.
Once the update is made, the issue/asset will be removed and no longer visible on the Scorecard. At this point, the impact on the score will also be removed.
An asset shows as "Removed" but the score is still impacted
When you request removal of an IP or domain and the request is approved, the asset's status changes to "Removed," but you may still see a score impact next to it. The asset is in a "Pending for Removal" state. For it to drop off completely, the score needs to be recalculated and published, which also takes about 48 hours from the date the asset is approved for removal.
Once the update is made, the issue/asset will be removed and no longer visible on the Scorecard. At this point, the impact on the score will also be removed.
The asset is removed, but its findings remain
Removing an asset and removing its findings are two separate processes. When you remove a domain or IP from your Digital Footprint, SecurityScorecard evaluates only whether the asset was misattributed, not whether the associated findings remain valid. If the underlying issue is still observable (for example, a missing SPF record on a domain that still resolves), those findings remain valid and stay on the Scorecard, and a remediation request to remove them is declined with the message "Remains on Scorecard."
These findings stay valid as long as SecurityScorecard can still observe the asset. Once the asset fully drops out of your Digital Footprint, meaning it is no longer attributed to you and no longer scanned, any associated findings decay and are removed automatically. You don't need to submit a remediation request for them.
Findings remain on an IP I've already rotated
Because the overall scoring process takes several days to complete, an IP with a short time-to-live (TTL), such as a dynamically assigned or recently rotated IP, can keep its attribution and continue to show findings for more than a day. These findings are automatically dropped once the attribution TTL is reached. Until then, the findings may still affect your score even though the IP no longer resolves to you.
A finding I resolved came back
When you resolve a finding using the "Fixed" option, scans automatically try to re-observe it. If the issue is no longer detected, the system marks the finding as resolved. However, if the same issue is observed again at any time in the future, the finding will be returned to your scorecard as a new event.
If the finding is something scans will keep detecting, such as when you have a compensating control or because it is a false positive, use the Other resolutions option to ensure that the finding will not be added back to the Scorecard if it is observed again by our system.
- Select the checkbox next to the finding.
- For a compensating control, choose Other resolutions → I have a compensating control.
- For a false positive, choose Other resolutions → I cannot reproduce this issue and I think it's incorrect.
Can I request a manual rescan of my scorecard?
No, you cannot manually trigger a scan or rescan of your whole scorecard. Since Security Scorecard's process is fully automated, the platform continuously scans and recalibrates scores daily. To remove a finding you believe is fixed, use the resolution process described in Address issue findings in your Scorecard. An immediate rescan is triggered whenever you mark an issue as "Fixed" on the platform. If you don't use the resolution process, the finding eventually decays and drops off on its own.