Skip to main content

Commenting on Issues

dave herder
  • Updated

In this article:

     

    How to Comment on Issues

    You can leave a Comment on any of your Issues to provide more context on your Scorecard. There are currently over 80 different issues that are grouped under 10 risk factors that you can provide context around. Comments can be externally published to all companies that follow you in their Portfolio or be left privately restricted to internal teammates only.

    Overall Solution

    Leaving a Comment is different from Resolution, and does not affect your rating. Comments are not available for Custom Scorecards.

    Visibility

    • Comments can only be submitted for Issues related to your own Scorecard
    • Comments can be submitted, edited, and removed by any User, Admin, or Designated Contact
    • Private Comments are only visible to your teammates (internal only)
    • Public Comments are visible to users of other companies who monitor your Scorecard (internal and external)
    • Public Comments will appear in Detailed Reports
    • Comments are not available for Custom Scorecards

    Feel free to contact your Customer Success Manager if there is any feedback on how the commenting feature enables trust and transparency within the SecurityScorecard ecosystem.

    Please refer to the User Management and Access Levels KB for any role-based access questions.

    Predefined Comments

    Users can pick from a list of “Predefined Comments” that cover the most common explanations related to issues. The following comments have been made available for you to use, both internally and externally to your own organization.

    Comment box

    “These issues have been identified and are actively being investigated.”
    Select this canned comment to acknowledge that you are currently looking into a specific issue type.

    “These issues emanate from guest WiFi traffic.”
    Air gap guest WiFi egress points or IPs that produce issues may be removed by attesting to SecurityScorecard that no enterprise traffic also shares that guest WiFi egress IP.

    “These domains are being retired and/or shut down.”
    Getting changes to be reflected by domain name servers and registrars can take time. Selecting this canned comment indicates that the effort is underway, despite issues that may still be appearing until changes have taken effect, globally.

    “These issues are contained in an isolated environment that does not touch production (isolated from the network)”
    For other air gap network scenarios, where there is no WAN connectivity back to the larger enterprise network, there still may appear to be issues. Selecting this canned comment informs the reader that the assets are less critical, sensitive, and connected compared to other digital assets.

    “These issues are a known and accepted vulnerability due to valid business reasons (i.e. systems required to run at maximum compatibility).”
    Some organizations require maximum backward compatibility with older browser types or older encryption methods. Although SecurityScorecard will continue to surface these crypto concerns on their Scorecard, users can easily explain why certain issue types still appear by selecting the canned comment above.

    Predefined Comments can be published to followers of your Scorecard without having to go through SecurityScorecard’s public commenting approval process (see below). These comments will appear immediately on your publicly available Scorecard.

    Public Custom Comments Approval Process

    Users also have the option to leave Custom Comments on Issues.

    Before Custom Comments are made public, they will need to go through SecurityScorecard’s approval process. This ensures data integrity and the safety of our customer community.

    The approval process can take up to one week and the user who submits the Comment will be notified by email of the approval status.

    Comment box

    To ensure timely approval we ask that you kindly adhere to the following guidelines when submitting Custom Comments for review:

    • Do not include personally identifiable information (PII)
    • Do not include any sensitive company data (i.e. credentials, URLs)
    • Do not use profanity and/or unacceptable business language
    • Keep comments related to the issues they are posted for as we will not accept “out of context” comments. For example, generalized comments, such as “I do not trust this” or “this data is wrong (without explanation that connects back to the issue)” will not be approved for public consumption without further clarification

    Step by Step Guide

    • Login to your SecurityScorecard account 
    • Navigate to My Scorecard 
    • Select a specific issue from the Scorecard Tab or the Issues Tab
    • Select Add Comment
    mceclip0.png
    • Select a specific reason
    • Toggle to private or public
    • Select Publish 

    Q&A

    Why should you use comments?

    Commenting on the Issues Tab increases trust within the 3rd and 4th party ecosystem. The added layer of transparency with the ability to selectively share inside-out context to your teammates and/or external business partners helps all companies to collaborate effectively around contextualizing cybersecurity issues found on Scorecards.

    When should you use Comments?

    There is a myriad of reasons why SecurityScorecard users want to leave comments on their own Scorecard. See some of the following examples:

    Using Private Comments

    Private comments can be leveraged to collaborate more effectively on your Scorecard by adding additional context for teammates that may need to try to resolve the issue at a later date. By providing commentary, you will have a current and historical system of record around your Scorecard’s issues.

    You can also use the private commenting option to collaborate on any comment that you intend to publish for public consumption in the future.

    Using Public Comments

    Occasionally you might have an issue that you cannot fix for internal business reasons or there is a timing issue with your backlog.

    For example, you might need to keep an older version of TLS 1.1 and have purposely chosen to not upgrade to the newest version. This appears as an issue on your Scorecard and lowers your rating. In this case, multiple external business partners (or third parties) may reach out to you for an explanation around that same issue.

    With commenting you can simply leave a public explanation for the issue so you do not need to repeat yourself to every business partner that follows your Scorecard. The added efficiency boost will allow your team to focus on higher-value activities.

    Can all SecurityScorecard users comment on their own Scorecard?

    Comments can be submitted, edited, and removed by any User, Admin, or Designated Contact. Users with Guest User and Read-Only access will not be able to submit, edit or remove comments.

    What does the approval process look like for Custom Comments?

    Custom Comments must be approved by SecurityScorecard’s Support Team in order to appear on your Scorecard for users external to your organization to view. Our approval process has been designed to ensure data integrity and quality. The process consists of a SecurityScorecard representative from the Support Team getting a notification of the new Public Comment request, reviewing it, and making a decision if the content meets the commenting guidelines as outlined above.

    When you submit comments who’s name is visible?

    For your own company, you can see the name of the user who wrote the comment. For Public Comments, we do not share the name of the user who provided the comment.

    Can you add Comments in multiple languages?

    Yes, you can leave comments in any language. For Public Comments, we suggest that you leave comments in English in addition to your native language to ensure a timely approval process.

    How does commenting work for Custom Scorecards Comments?

    Comments are not available for Custom Scorecards.

    Related articles