The Vendor Risk Assessment(VRA) uses a variety of checks to assess the scores that are seen in the VRA tab. Scores of close to 10 are - quite rightly - in rarefied air. There are relatively few organisations operating at that level of security maturity. Scores of under 4 are not uncommon and this also reflects reality.
A score of between 4 - 6 is both the mean, and median.
Each check in our system receives a 'weighting' towards the overall score. We have weighted the checks based on;
(a) the degree to which the checks were genuinely providing the ability to distinguish between organisations - as an example, some checks are rarely, if ever, failed; and
(b) the degree to which the check provides a strong indicator of security maturity or risk.
Name |
Algorithm Weight |
Sensitive Ports |
7 |
Certificate Status (Note 1 below) |
3 |
SSL/TLS Vulnerabilities (Note 1 below) |
6 |
SSL/TLS security enhancements (Note 1 below) |
3 |
Content Security Policy |
6 |
X Frame Option |
6 |
X Content Type Options |
3 |
The HTTP X-XSS-Protection Header |
2 |
Strict Transport Security |
5 |
Subdomain TLS Configuration Consistency |
2 |
Suspicious & Malicious Subdomains (Note 2 below) |
8 |
Subresource Integration |
2 |
Referrer Policy |
2 |
DNS Zone Transfer |
7 |
Open Recursive DNS |
3 |
DMARC Check |
8 |
SPF Record Check |
8 |
Domain Expiry |
6 |
Secure Mail Server |
6 |
Breached Emails |
7 |
Email Enumeration |
No Effect on Score |
Subdomain Enumeration |
No Effect on Score |
Note 1: Scoring Algorithm 1.0 used the Qualys SSL Labs assessment for examining certificate and SSL related vulnerabilities. Along with the release of Scoring Algorithm 2.0, we have built a custom set of assessment tools for looking at SSL and Certificate vulnerabilities and as such have split out and increased the focus on these scores.
Note 2: Most organizations do not have suspicious subdomains in their environment. It would be an extremely significant issue if these were to be found. Thus, if no suspicious subdomains are found, it adds 8 to the score, however, if malicious subdomains are found, 11 will be subtracted from the score. A penalty of an extra 3 is used in these circumstances.