Some of the risks we attempt to identify cannot be automatically verified and are therefore categorized as informational. Informational risks do not impact your or your vendors' security rating.
To understand why these risks are informational, it's helpful to walk through a few examples.
Example 1: Vulnerabilities
When we identify vulnerabilities, we use the information exposed in HTTP headers, website content, and open ports.
Many of the vulnerabilities we detect are based on a specific software version exposed in website headers that are known to have vulnerabilities. The issue is many of these vulnerabilities need the domain owner to determine which vulnerabilities apply to them. As such, these vulnerabilities appear as informational and aren't scored.
In contrast, other vulnerabilities may have a specific test that we run to confirm the existence and exploitability. Verified vulnerabilities are scored and do not appear as informational.
Example 2: Open ports
Another example are our open port checks. Some ports are open and listening meaning we received data back from the port, while other ports are merely open.
When a port is open and listening, we are able to verify there is a service exposed and can score the risk. In contrast, some ports are open but we were unable to detect a service listening on the port. These risks are not scored and are informational.
Risks that appear as informational are not scored because we are unable to verify that they pose a risk. It is up to the domain owner to verify that the risks are applicable to their situation.