Managing issue findings is critical to maintaining a high Scorecard rating and providing customers and partners with a complete, accurate view of your security posture.
Ways to address findings
Our remediation process offers several ways to address a finding, each with a different outcome for your Scorecard.
| Action | Goal | Outcome |
| Request resolution | Remove the issue | The finding is immediately removed from your Scorecard and no longer impacts your score. |
| Remediate and wait | Let the finding decay naturally. | The finding automatically decays and is removed after a few days if our scans no longer detect it. |
| Add a comment | Explain why the finding remains. | The finding remains on the Scorecard for visibility. |
| Manage or remove an asset | Ensure accurate asset association | Your Digital Footprint is up to date and more accurately reflects your security posture. |
Locate the finding you want to resolve
- Go to My Organization and select My Scorecard.
- In your Scorecard, you can find issues in two ways:
-
Score Factors - view issue types by factor.
-
Issues - view a combined list of all issue types in one place.
-
Score Factors - view issue types by factor.
- Select an issue type to open its Findings tab, where you can see all findings related to that issue.
- Optionally, you can go to the Recommendations tab to review more details and recommended actions for the issue.
Initiate a resolution
To formally initiate a resolution request for one or more findings:
- Go to the Findings table located at the bottom of the page and select the finding(s) you want to address.
-
Choose how you want to resolve the finding:
- If you have already fixed the issue and want it removed, select Report as Fixed.
- If you need to address the finding for any other reason, select Other resolutions and choose the appropriate option.
The available resolution reasons lead to different actions:
Resolution reason Action This is not my IP or domain Select the link to manage the affected finding in your Digital Footprint. I cannot reproduce this issue and I think it's incorrect Requires a request for resolution. Provide as much detail or evidence as possible to help Support review your request. I have compensating controls Requires a request for resolution. Provide as much detail or evidence as possible to help Support review your request.
Request resolution
Use this option when you want the finding removed immediately and have clear evidence to support your request.
Examples include:
- You have remediated the vulnerability or security problem. For example, you applied a patch to a vulnerable version of a product.
- You have a compensating control in place. For example, you backported the operating system to an affected asset.
- You believe the finding is inaccurate.
Note: Provide as much detail and as many attachments as possible to help expedite the Support team’s review
Submitting findings for backported patches
If you have applied a backported patch to address a vulnerability, do not select Report as Fixed. When you report a finding as fixed, SecurityScorecard performs a new scan of the affected asset. Because backported patches do not change the version information your system reports externally, our scanner will detect the same conditions as before and reject the request.
Instead, follow these steps:
- Select Other resolutions, then select I have compensating controls.
- In your explanation, include the word backported or backported patch and describe the specific patch you applied.
Example: "We have applied a backported patch from our OS vendor that addresses CVE-XXXX-XXXX. The version string reported externally has not changed, but the vulnerability has been remediated."
What happens next: approvals, denials, and projected scores
After you submit a resolution request, our Support team reviews it and any evidence you provided. For information on our response times, see our Trust page.
- If Support approves your request, your score will update within 48 hours.
- If Support denies your request, you will receive an email explaining why.
You can view the status of your request at any time from the Issues page.
Your projected score is also reflected in your Scorecard's company overview.
Remediate and wait
If you fix the vulnerability but do not request a resolution, the finding will automatically decay after a period determined by its issue type.
This action does not require any action from Support. Once our scans no longer detect the issue, the finding is removed from your Scorecard.
Add a comment
Some issues, such as potential vulnerabilities, cannot be removed from your Scorecard. They remain visible so customers, prospects, or partners have a complete view of your security posture.
In these cases, adding a comment allows you to document your mitigation steps, provide context, and show that you are aware of the issue and taking appropriate action. There are two ways to comment on an issue that you cannot resolve.
Add a comment from the issue or finding
- Locate the issue or finding.
- Select Add Comment.
- Choose one of the preset comments, or enter a custom message, and select Save.
Your comment will be visible at the top of your Findings page and can be edited at any time by selecting the icon.
Add a comment from the Findings table
- Use the scroll bar to ensure the entire first row of the table is visible, and then select the Comment icon.
- Enter your comment in the window that opens and select Save.
Your comment will appear in the row and can be edited at any time.
Manage or remove an asset
If the finding appears on an asset that does not belong to your organization, or is associated in a way that should not significantly impact your score, such as with a parked domain, you can manage the asset in your Digital Footprint.
Managing the asset ensures it is correctly associated and that your Scorecard reflects an accurate and up-to-date security posture.