In this article:
Every finding for every issue type on your Scorecard has status that reflects whether you are addressing it and whether it impacts your score:
- Open
- Under Review
- Approved
- Declined
- Decayed
What is a decayed finding?
An unresolved finding decays when SecurityScorecard has not seen it resurface within a certain period of time. A decayed finding no longer impacts your score.
Note: If you remove an asset with a finding from your Digital Footprint, the status for that finding becomes Decayed. If the assets reappears on your Digital Footprint, the finding also reappears.
When do issue findings decay?
Decay windows vary by issue type, as seen in the following table.
Note: Some issue types do not decay. For any issue in the table with a decay window of None, click the numeral next to it to read a footnote explaining why it does not decay.
| Findings for this issue type... | ...decay after this number of days |
| Active CVE Exploitation Attempted | 15 |
| Adware Installation | 30 |
| Adware Installation Trail | 365 |
| Age exposed | 15 |
| Alleged Breach Incident | None (1) |
| Anonymous Open Proxy | 45 |
| Apache Cassandra Service Observed | 45 |
| Apache CouchDB Service Observed | 45 |
| API key exposed | 15 |
| Apple AirPort Device Detected | 45 |
| Attack Detected | 30 |
| Attempted Information Leak | 15 |
| Birthday exposed | 15 |
| Bitcoin Server Exposed | 45 |
| Browser Average Age Indicates Older Versions | None (2) |
| Browser logs contain debug messages | 15 |
| CDN Used | 45 |
| Certificate Is Expired | 45 |
| Certificate Is Revoked | 45 |
| Certificate Is Self-Signed | 45 |
| Certificate key is smaller than recommended size | 15 |
| Certificate Lifetime Is Longer Than Best Practices | 45 |
| Certificate Signed With Weak Algorithm | 45 |
| Certificate Without Revocation Control | 45 |
| Cleartext password exposed | 15 |
| Cloud Provider Service Used | 45 |
| Cobalt Strike C2 Detected | 15 |
| Cobalt Strike C2 server detected | 45 |
| Content Security Policy (CSP) Missing | 15 |
| Content Security Policy Contains 'unsafe-*' Directive | 15 |
| Content Security Policy Contains Broad Directives | 15 |
| Credentials at Risk | 90 |
| Credentials at Risk (Historical) | None (1) |
| DNS Server Accessible | 45 |
| Domain Advertised as Ransomware Victim | 90 |
| DOS Attack Attempt Detected | 15 |
| Elasticsearch Service Observed | 45 |
| Email exposed | 15 |
| Embedded IOT Web Server Exposed | 45 |
| Employer exposed | 15 |
| End-of-Life Product | 45 |
| End-of-Service Product | 45 |
| Exploit Attempt Detected | 15 |
| Exposed Personal Information | 90 |
| Exposed Personal Information (Historical) | None (1) |
| FTP Service Observed | 45 |
| General Scan Detected | 15 |
| Hashed password exposed | 15 |
| High Severity Content Management System vulnerabilities identified | 45 |
| High Severity CVEs Patching Cadence | 120 |
| High-severity CVE patching analyzed | 1 |
| High-Severity Vulnerability in Last Observation | 45 |
| HTTP Proxy Service Detected | 45 |
| IMAP Service Observed | 45 |
| Industrial Control System Device Accessible | 45 |
| Insecure channel exposes sensitive information | 15 |
| Insecure HTTPS Redirect Pattern | 15 |
| Instant messaging account exposed | 15 |
| IP address exposed | 15 |
| IP Camera Accessible | 45 |
| IP on blacklist due to malicious activity | 15 |
| iSCSI Device Exposed | 45 |
| Java Debugger Detected | 45 |
| Known compromised or Hostile Host | 15 |
| Language exposed | 15 |
| LDAP Server Accessible | 45 |
| LDAP Server Allows Anonymous Binding | 45 |
| Link redirects to insecure website | 15 |
| Low Severity Content Management System vulnerabilities identified | 45 |
| Low Severity CVEs Patching Cadence | 60 |
| Low-severity CVE patching analyzed | 1 |
| Low-Severity Vulnerability in Last Observation | 45 |
| Malformed SPF Record | 15 |
| Malicious botnet C2 server detected | 15 |
| Malicious Scan Detected | 15 |
| Malicious TOR Exit Node Detected | 15 |
| Malicious TOR Relay/Router Node Detected | 15 |
| Malicious User Agent Detected | 15 |
| Malware Controller Observed | 30 |
| Malware Detected | 15 |
| Malware Infection | 30 |
| Malware Infection Trail | 365 |
| Medium Severity Content Management System vulnerabilities identified | 45 |
| Medium Severity CVEs Patching Cadence | 90 |
| Medium-severity CVE patching analyzed | 1 |
| Medium-Severity Vulnerability in Last Observation | 45 |
| Microsoft SQL Server Service Observed | 45 |
| Minecraft Server Accessible | 45 |
| Mirai Botnet Traffic Detected | 15 |
| Mobile Printing Service Detected | 45 |
| MongoDB Service Observed | 45 |
| MySQL Server Running with Empty Password | 45 |
| MySQL Service Observed | 45 |
| Name exposed | 15 |
| Neo4j Database Accessible | 45 |
| NetBus Remote Access Service Detected | 45 |
| Network Attached Storage Device Exposed | 45 |
| Networking Service Observed | 45 |
| Non-social media access token exposed | 15 |
| Non-standard links detected: Contact information displayed | 15 |
| Non-standard links detected: Local file path exposed | 15 |
| Non-standard links detected: Unsafe File Transfer Protocol | 15 |
| Non-standard links detected: Unsafe Telnet protocol | 15 |
| Occupation exposed | 15 |
| October 2022 OpenSSL 3.X Vulnerability | 45 |
| Open DNS Resolver Detected | 45 |
| OpenVPN Device Accessible | 45 |
| Oracle Database Server Accessible | 45 |
| Oracle Service Registry Detected | 45 |
| Outdated Operating System Observed | 30 |
| Outdated Web Browser Observed | 30 |
| Parent's name exposed | 15 |
| Password exposed | 15 |
| Password hint exposed | 15 |
| Phishing Infrastructure | 45 |
| Phone number exposed | 15 |
| Physical address exposed | 15 |
| POP3 Service Observed | 45 |
| PostgreSQL Service Observed | 45 |
| Potentially Vulnerable Application (PVA) Installation | 30 |
| Potentially Vulnerable Application Installation (PVA) Trail | 365 |
| PPTP Service Accessible | 45 |
| Printer Detected | 45 |
| Product Potentially Impacted by CVE-2022-41040 & CVE-2022-41082 | 45 |
| Product Potentially Impacted by PowerShell Remoting RCE | 45 |
| Product Running Vulnerable Log4j Version | 45 |
| Products Susceptible To Ransomware Exploits Exposed | 45 |
| Pulse Connect Secure VPN Product Observed | 45 |
| Race exposed | 15 |
| Ransomware Infection Detected | 30 |
| Ransomware Infection Trail Detected | 365 |
| Ransomware-Susceptible Remote Access Services Exposed | 1 |
| RDP Service Observed | 45 |
| Redirect Chain Contains HTTP | 15 |
| Redis Service Observed | 45 |
| Remote Access Service Observed | 45 |
| rsync Service Observed | 45 |
| Security question and answer exposed | 15 |
| Server certificate issued by country on denylist | 15 |
| Server error detected | 15 |
| Server with Expired Certificate Contacted | 15 |
| Session Cookie Missing 'HttpOnly' Attribute | 15 |
| Session Cookie Missing 'Secure' Attribute | 15 |
| Site does not enforce HTTPS | 15 |
| Site emits visible browser logs | 15 |
| Site fails to load page components | 15 |
| Site links to insecure websites | 15 |
| Site may use WebSockets to send user data | 15 |
| Site receives data over Websockets | 15 |
| Site requests data over insecure channel | 15 |
| SMB Service Observed | 45 |
| SMTP Server on Unusual Port | 45 |
| SOAP Server Accessible | 45 |
| Social media account exposed | 15 |
| Social media token exposed | 15 |
| Social Security number exposed | 15 |
| SOCKS Proxy Service Detected | 45 |
| SPF Record Contains a Softfail without DMARC | 15 |
| SPF Record Found Ineffective | 15 |
| SPF Record Missing | 15 |
| SSH Software Supports Vulnerable Protocol | 55 |
| SSH Supports Weak Cipher | 55 |
| SSH Supports Weak MAC | 55 |
| SSL/TLS Service Supports Weak Protocol | 45 |
| Suspicious Traffic Observed | 30 |
| Telephony/VoIP Device Accessible | 45 |
| Telnet Service Observed | 45 |
| Threat actor infrastructure detected | 30 |
| TLS Certificate Status Request ("OCSP Stapling") Detected | 45 |
| TLS Service Supports Weak Cipher Suite | 45 |
| TOR Server Detected | 45 |
| Unsafe Implementation Of Subresource Integrity | 15 |
| Unsolicited Commercial Email | 1 |
| UPnP Accessible | 45 |
| User-agent string exposed | 15 |
| Username exposed | 15 |
| VNC Service Observed | 45 |
| Vulnerabilities observed | 45 |
| Vulnerability observed in most recent scan | 45 |
| Vulnerable Log4j version detected | 15 |
| Web Application Firewall (WAF) Detected | 15 |
| Web application potentially vulnerable to Spring4Shell | 45 |
| Website communicates with payment provider | 15 |
| Website copyright is current | 15 |
| Website Copyright is Not Current | 15 |
| Website defaced | 15 |
| Website Does Not Implement HSTS Best Practices | 15 |
| Website does not implement X-Content-Type-Options Best Practices | 15 |
| Website does not implement X-Frame-Options Best Practices | 15 |
| Website does not implement X-XSS-Protection Best Practices | 15 |
| Website Hosted by GoDaddy’s Wordpress | 15 |
| Website Hosted on Object Storage | 15 |
| Website References Object Storage | 15 |
| Website Uses GoDaddy TLS Certificates | 45 |
| Websocket requests contain sensitive fields or PII | 15 |
Why do some issues not decay?
Some issues do not have a decay window:
- (1) Breaches and some issues related to leaked information remain on the Scorecard indefinitely.
- (2) A finding for the issue type Browser Average Age Indicates Older Versions is based on a set of time-based values, which are recalculated when changes occur:
- A new finding causes the set to grow.
- If we do not detect a new finding after seven days, we remove the oldest value.
If all values are removed from the set, we remove the issue from the Scorecard.