The Vendors section of UpGuard Vendor Risk lets you find, monitor, and remove vendors instantly via our instant vendor search.
You can keep track of vendor security ratings over time, categorize vendors, and compare them against industry benchmarks.
In addition to the above screenshot, you can click on an individual vendor to see summary of their security posture. This page includes:
- Basic information about the vendor
- Questionnaire and remediation information
- Vendor security rating over the last 12 months
- Website risks
- Email security risks
- Network security risks
- Reputation risks
- Phishing and malware risks
- Brand protection risks
- Questionnaire risks
How Vendor security ratings are calculated
To understand how we calculate the security ratings for a vendor, it's helpful to start with how we calculate a security rating for an individual domain or IP address.
How we calculate the security rating for a single domain or IP address
To calculate a security rating for a domain or IP address, we run hundreds of individual checks across email security, website security, phishing and malware risk, 200+ services across thousands of ports, domain hijacking and man-in-the-middle risk, security questionnaire results, credential management, and reputational risk.
This data is collected on a daily basis through commercial, open-source, and proprietary methods, allowing us to evaluate the external security posture of any Internet-facing asset.
The output of the data collection process is fed into our proprietary scoring algorithm to produce a score out of 950. The scoring algorithm is subtractive, in that assets start with a score of 950 and have points subtracted for each failed check.
The number of points deducted is based on the severity of the underlying risks, which we categorize as critical, high, medium or low risk.
The closer an individual asset's security rating is to 950, the better its external security posture and the lower its residual risk exposure.
How we calculate the security rating of a vendor
To produce a vendor's security rating, we take a weighted average of all the security ratings of their domains and IP addresses. We then use a gaussian averaging algorithm to weigh lower scores more heavily to ensure low scores aren't masked by high averages.
This produces a numeric grade for an organization, along with a letter grade as follows:
Additionally, we constantly add new checks based on the research our in-house security team does which means our scoring algorithm may change from time to time to better reflect what we consider a best-in-class security posture.
The principles for fair and accurate security ratings
Security ratings are relatively new and carry their own risks. As noted by the Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, ratings rely on data from a dynamic environment with many sources.
This is why UpGuard adheres to the Principles of Fair and Accurate Security Ratings:
- Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization who wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
- Dispute, Correction and Appeal: UpGuard is committed to working with customers, vendors and any organization who believes their score is not accurate or outdated.
- Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
- Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
- Independence: No commercial agreement or lack thereof, gives an organization the ability to improve their security rating without improving their security posture.
- Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.
- What is included in a vendor's vulnerabilities?
- How to generate a vendor risk report
- What details can UpGuard Vendor Risk provide about a vendor?
- How to add a new vendor
- How to remove a vendor
- What is the difference between an instant report and a monitored vendor?
- How to capture additional evidence
- How to complete a risk assessment