In this article:
If another company invited you to join the SecurityScorecard platform, use this FAQ to address your questions and concerns.
If you do not see one of your questions here, submit it to our Support team, and we will update the FAQ with your query.
What data sources do you use to attribute assets to organizations?
We start with a top-level domain and then find all registered sub- and related domains, using the following sources:
- DNS lookup for subdomains related to the examined domain and IP address, and the timestamp of the sighting
- SSL certificates related to the examined domain and IP address, and the timestamp of the certificate sighting
- WHOIS records related to the examined domain and IP address
- Third-party data feeds that correlate the examined IP address and domain
- Research data that SecurityScorecard gathered for manual attribution
- Published Data provided by an owner of an IP address range, such as a service provider
I see a lot of inaccuracies. How do I know the Scorecard information is reliable?
We are constantly improving our scanning, attribution, and rating technologies for greater accuracy and fairness.
One of our most important attribution sources is you. We want to leverage your unique perspective on your asset inventory, so we are making it easier for you to review, validate, and maintain your company's digital footprint. This validation process ensures that your scorecard rating faithfully reflects your security posture.
We also work with you to reconcile disagreements over attributions, issues, or scoring.
Learn more in our Trust Portal.
I don't agree with my score. What can I do?
Your organization has the right to dispute information on your SecurityScorecard Security Rating and provide clarifying information for consideration. You can use these resolution methods:
- Dispute - Your company provides evidence that the identified risk or finding was incorrectly associated with your Scorecard and should be removed from your company’s record.
- Correction - Your company provides clarifying information about a compensating control that is not visible to our non-intrusive, outside-in network view.
- Appeal - You inform SecurityScorecard that your company resolved the the issue, so it should be removed from your Scorecard. Learn about our resolution process.
You can also leave a public comment in your company profile or on a specific issue to provide context to anyone who may be looking at your scorecard.
How long will it take for my score to update after I submit a remediation?
It takes up to five days for your remediation to be reflected in your score.
Is there any cost to view my scorecard and submit remediations? I see some features that require an upgrade.
You can sign up for a free account that enables you to view all details of your score, generate a score improvement plan, and submit remediations. Certain features are available with paid plans, such as the Audit Log, which enables you to track every issue that was remediated, when it was remediated, and by whom. For details on what is included in each plan, visit the plans page in the SecurityScorecard platform.
How do I add my colleagues to my company's account?
Use the Invite Teammate button in your Scorecard. If your company has a free account, you can invite people whose email address matches the domain they are being invited to. If your company has a paid SecurityScorecard plan, you can assign an admin to invite any email address to their instance, regardless of domain.