How it's calculated

The Security Score uses a deduction model: it starts at 100 and loses points as issues go unresolved past their SLA deadlines.

  • An issue that is fixed within its SLA window causes no penalty
  • An issue that becomes overdue starts reducing the score
  • The penalty increases the longer an issue stays overdue
  • CRITICAL overdue issues carry a heavier penalty than lower severities

Fixing an overdue issue stops the penalty from growing. The score recovers as overdue issues are resolved.

What a score means

ScoreWhat it signals
90–100%Strong posture. Most issues resolved on time.
75–89%Some overdue issues. Attention needed.
50–74%Significant overdue backlog. Remediation should be prioritized.
< 50%Critical exposure. Immediate action required.

What does NOT affect the score

  • Noise issues — informational findings with no CVE are never penalized
  • Snoozed issues — paused from SLA countdown; not penalized during the snooze period
  • False positives — excluded entirely
  • Fixed issues — penalty stops immediately upon fix

What's next