Vendor responses reflect the current state of engagement after a finding has been flagged or a remediation request has been sent. These responses are represented by the findings’ Vendor Status, which updates as actions are taken and reviewed.
Status lifecycle groups
At any given time, a finding has one of the statuses listed below. These statuses fall into three lifecycle groups.
Open
Open statuses indicate the finding is active and requires action.
- Open
- Reopened
- Investigating
Pending SSC Review
Pending statuses indicate that a response has been submitted and is awaiting review by SecurityScorecard (SSC).
- Compensating Control
- Fixed
- Cannot Reproduce
Resolved
Resolved statuses indicate that the finding has been reviewed and closed by SSC.
- Compensating Control
- Fixed
- Cannot Reproduce
Vendor status definitions
Vendor Status consists of a primary status and, in some cases, a more specific substatus. The primary status represents the finding's position in the lifecycle (Open, Pending, Resolved), while the substatus provides additional detail about the current activity or outcome.
The Updated by column indicates whether a status change is initiated by the vendor or by SecurityScorecard as part of the validation and review process.
| Primary status | Vendor status | Definition | Updated by |
| Open | Open | The finding is active and has not yet been addressed or reviewed. | SecurityScorecard |
| Open | Reopened | A previously submitted status update (e.g., a compensating control) was not approved by SSC and requires further action. | SecurityScorecard |
| In progress | Investigating | The finding has been acknowledged and is under review beforefurther action is taken. | Vendor |
| Pending SSC Review | Compensating Control | A compensating control has been submitted and is awaiting review by SSC. The finding will transition to Compensating Control if accepted or Reopened if not validated. | Vendor |
| Pending SSC Review | Fixed | The issue has been reported as fixed and is awaiting for SSC to confirm it as Fixed or marked as Reopened. | Vendor |
| Pending SSC Review | Cannot Reproduce | The issue has been reported as not reproducible and is awaiting for SSC to confirm it as Cannot Reproduce or marked as Reopened. | Vendor |
| Resolved | Compensating Control | The submitted compensating control has been reviewed and accepted by SSC. This finding is considered to be resolved. | SecurityScorecard |
| Resolved | Fixed | The finding has been verified as fixed by SSC scanning. | SecurityScorecard |
| Resolved | Cannot Reproduce | The issue has ben reviewed and accepted as not reproducible. This status has been reviewed and accepted by SSC. | SecurityScorecard |