How to Resolve Issues in SecurityScorecard

Any rated organization has the right to dispute information on their SecurityScorecard Security Rating and provide clarifying information for consideration. SecurityScorecard has three resolution types:

1. Dispute - The company provides evidence that the identified risk/finding was incorrectly associated with their Scorecard and should be removed from the company’s record.
2. Correction - The company provides clarifying data about a compensating control that is in place which is not visible to our non-intrusive, outside-in view.
3. Appeal - The company resolved the risk and the issue should be removed from the company’s Scorecard.

Step by Step Guide

How do I remove issues or IPs on my Scorecard?

Step 1

Identify the issue or IP/domain that you want to dispute, correct, or appeal.

To identify the issue you want removed:

• Go to My Scorecard
• Select the specific issue on the Issues Tab
• Select one or multiple vulnerabilities related to the same issue

To identify the IP/domain you want removed:

• Go to My Scorecard
• Go to the Digital Footprint Tab
• Select one or multiple IPs/domains

Step 2

Select the reason you want the Issue or IP/domain removed from your Scorecard

To select the reason you want a specific issue removed:

• Hit Resolve and select one of four resolution reasons:
  • I have fixed this
  • I have a compensating control
  • This is not my IP or domain
  • I cannot reproduce this issue and I think it’s incorrect

To select the reason you want a specific IP removed:

• Hit Remove and select one of four reasons
  • These IPs are not mine
  • These IPs are associated with a domain that is not mine
  • I have compensating controls
  • I am a hosting provider and these IPs are managed by a customer

Step 3 (Optional)

Users have the ability to add private or public comments to any issue on their Scorecard.

To add a private or public comment on an issue:

• Go to My Scorecard
• Select the specific issue on the Issues Tab
• Select add a comment
• Choose from five pre-canned comments or create a custom comment
• Make the comment public or private (Public custom comments go through a short approval process before they are added to the Scorecard)

Access additional information on Commenting here.

What happens next?

SecurityScorecard reviews each submitted dispute and associated supporting evidence and, if warranted, corrects and updates the scorecard. A challenge or resolution is either accepted or denied within 48-hours on average. If accepted, the Scorecard is then updated between 48-72 hours.

Audit Log Visibility

Users have visibility into the status of each issue that was submitted for review. The categories include:

• Open, Under Review, Resolved, Declined, and Decayed

Have additional questions? Please reach out via support.securityscorecard.com