How it's calculated
The Security Score uses a deduction model: it starts at 100 and loses points as issues go unresolved past their SLA deadlines.
- An issue that is fixed within its SLA window causes no penalty
- An issue that becomes overdue starts reducing the score
- The penalty increases the longer an issue stays overdue
- CRITICAL overdue issues carry a heavier penalty than lower severities
Fixing an overdue issue stops the penalty from growing. The score recovers as overdue issues are resolved.
What a score means
| Score | What it signals |
|---|---|
| 90–100% | Strong posture. Most issues resolved on time. |
| 75–89% | Some overdue issues. Attention needed. |
| 50–74% | Significant overdue backlog. Remediation should be prioritized. |
| < 50% | Critical exposure. Immediate action required. |
What does NOT affect the score
- Noise issues — informational findings with no CVE are never penalized
- Snoozed issues — paused from SLA countdown; not penalized during the snooze period
- False positives — excluded entirely
- Fixed issues — penalty stops immediately upon fix