Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

External Trust Indicators

External Trust Indicators

Section titled “External Trust Indicators”

5 automated security scanners

Security Certification Lapses

Section titled “Security Certification Lapses”

Purpose: This scanner is designed to analyze the external trust indicators of a company by examining its security certifications and attestations. It aims to identify any lapses in security certifications, such as expired certificates or missing verification badges, which could indicate vulnerabilities and risks to the organization’s security posture.

What It Detects:

  • Expired Security Certifications: The scanner identifies if any of the company’s security certifications have expired.
  • Missing Verification Badges: It checks for the presence of any verification badges that are supposed to be displayed as evidence of the company’s security certifications.
  • Incomplete or Incorrect Certification Types: It verifies whether the reported types of certifications match what is expected based on industry standards and regulations.
  • Scope Limitations: The scanner detects if there are exclusions in the scope of the certification, which could limit the organization’s compliance efforts.

Inputs Required:

  • Domain: The web address of the company’s main website.
  • Company Name: The legal name of the company being assessed.

Business Impact: Security certifications are crucial for demonstrating to stakeholders and customers that an organization adheres to established standards and practices in information security. A lapse in these certifications can lead to a loss of trust, potential regulatory non-compliance, and increased risk of data breaches or other security incidents.

Risk Levels:

  • Critical: The scanner flags significant issues such as expired certificates with no immediate remediation plan.
  • High: Issues like missing critical verification badges or incorrect certification types that could lead to severe compliance problems.
  • Medium: Minor lapses in certifications that require attention but do not pose an immediate high risk.
  • Low: Informal findings that might need documentation and future monitoring, generally not affecting the core security posture significantly.

Example Findings:

  1. A company claims to have PCI DSS certification, but no evidence of this badge is found on their website.
  2. An SOC 2 Type II report is mentioned, but only a SOC 2 Type I is detected, indicating an incomplete compliance profile.

Public Security Reporting Reduction

Section titled “Public Security Reporting Reduction”

Purpose: The purpose of this scanner is to analyze public security reporting reduction for a given domain and company. It aims to identify if an organization has reduced its transparency and communication regarding security matters, which could indicate potential vulnerabilities or concealment of critical information.

What It Detects:

  • This scanner detects the presence and quality of public security content such as blog posts, incident disclosures, and metrics.
  • It checks for active public security reporting through blogs and updates.
  • The scanner identifies if there is a transparency report and its freshness or completeness.
  • It looks for any incidents disclosed publicly to assess how an organization handles security breaches.
  • If the scanner finds reduced communication about security matters, it flags this as a reduction in indicators.

Inputs Required:

  • Domain: The target domain to be analyzed.
  • Company Name: The name of the company associated with the domain.

Business Impact: The business impact is significant as public transparency and regular communication about security matters are crucial for maintaining trust among stakeholders, customers, and partners. Reduced reporting could indicate a lack of proactive measures or potential issues that might affect the organization’s reputation and credibility in the market.

Risk Levels:

  • Critical: If there is no public security blog or update feed detected, which indicates a complete absence of any communication about security matters.
  • High: If the transparency report is outdated or missing completely, suggesting a lack of recent information regarding security practices and incidents.
  • Medium: If limited incident disclosures are found, which might indicate concealment of past issues or poor handling of breaches.
  • Low: If no significant reduction in public reporting is detected, indicating active communication about security matters.
  • Info: Provides informational findings if the scanner does not find any critical issues but still suggests a need for improvement in public security reporting practices.

Example Findings:

  1. A company that has ceased to update its blog with recent security information might indicate reduced transparency and could be flagged as potentially vulnerable due to concealment of past incidents or lack of proactive measures.
  2. An organization without a transparency report, especially one operating in the tech sector where transparency is often expected, could face significant risk if it does not have any public record of its security practices and outcomes.

Audit Scope Narrowing

Section titled “Audit Scope Narrowing”

Purpose: This scanner analyzes external trust indicators to assess the scope of audit documents and identify any potential narrowing of the audit scope. It checks for exclusions in infrastructure, applications, and third-party systems as well as limited access to full audit reports and high ambiguity in defined scopes.

What It Detects:

  1. Exclusion Patterns: The scanner identifies patterns where specific infrastructures, applications, or third-party services are excluded from the audit scope.
  2. Audit Report Access Limitations: It detects scenarios where full audit reports are not publicly available, indicating potential restrictions in transparency.
  3. Ambiguity Indicators: High levels of ambiguity in defining audit scopes using vague boundary definitions and sample-based auditing suggest incomplete coverage.

Inputs Required:

  1. domain: The target domain for the audit scope analysis.
  2. company_name: The name of the company associated with the domain being analyzed.

Business Impact: Assessing the breadth of an organization’s audit scope is crucial for understanding its information security posture and compliance obligations. Narrowing the scope can lead to overlooked risks, potentially compromising data protection and regulatory adherence.

Risk Levels:

  • Critical: The scanner identifies multiple critical exclusions or limitations that severely restrict the audit scope, indicating a significant risk of undetected vulnerabilities.
  • High: There are several high-risk findings such as broad exclusions or limited access to full reports, which significantly impact trust and security posture.
  • Medium: Several medium-level risks are present, including some critical issues but with fewer severe restrictions on scope.
  • Low: Minimal risk is detected, indicating a generally comprehensive audit scope that aligns well with the organization’s information security objectives.
  • Info: Informational findings suggest minor or no significant risks in the audit scope analysis.

Example Findings:

  1. Acme Corporation has an exclusion pattern where all legacy systems are excluded from the audit, significantly narrowing the scope and potentially missing critical updates.
  2. A company’s limited access to full audit reports indicates a lack of transparency about their security practices, which could be indicative of broader trust issues.

Transparency Reduction

Section titled “Transparency Reduction”

Purpose: This scanner analyzes external trust indicators to detect transparency reduction vulnerabilities. It checks for lack of privacy policies, unclear data practices, poor communication methods, and inadequate public disclosure of security measures. This helps in assessing the company’s commitment to transparency and its overall security posture.

What It Detects:

  • Lack of Privacy Policy: The absence or inadequacy of a privacy policy indicates a lack of commitment to protecting user data.
  • Unclear Data Practices: Unclear policies on how personal information is handled can lead to uncertainty about data protection practices.
  • Poor Communication Methods: Poor communication, such as hidden contact details or reliance solely on bug bounties, suggests limited accessibility and transparency in security matters.
  • Inadequate Public Disclosure of Security Measures: A lack of regular updates on security measures or a minimal presence in public forums can indicate poor security practices.

Inputs Required:

  • Domain: The target website’s domain to analyze.
  • Company Name: The name of the company associated with the domain, used for context and reporting.

Business Impact: This is crucial as transparency and trust are foundational elements in any business relationship, especially in cybersecurity where data privacy and integrity are paramount. Lack of transparency can lead to loss of customer confidence and potential regulatory non-compliance.

Risk Levels:

  • Critical: If the company lacks a comprehensive privacy policy that clearly outlines data handling practices or if there is no security policy at all despite operations involving sensitive information, this poses a critical risk as it indicates significant lack of commitment to user trust and legal compliance.
  • High: Unclear or vague policies on data handling, poor communication methods such as hidden contact details, and inadequate public disclosure of security measures are indicative of high risks, suggesting potential vulnerabilities in the company’s approach to cybersecurity and information protection.
  • Medium: Limited transparency through lack of updates on security practices or minimal engagement in public discussions can be considered medium risk, indicating a need for improvement in communication strategies and overall commitment to transparency.
  • Low: Well-documented privacy policies that clearly outline data handling, readily accessible contact methods, and regular updates on security measures suggest low risk, reflecting strong efforts towards trust and transparency from the company.
  • Info: Informal or minimal disclosures about practices without clear documentation can be considered informational findings, indicating a baseline level of effort in these areas but with potential for improvement to enhance overall trustworthiness.

Example Findings:

  1. A company lacks a privacy policy despite operating an e-commerce site that handles customer data. This could lead to critical risk as it directly impacts user trust and compliance concerns.
  2. The company’s website does not list any contact information for security queries, which is indicative of high risk in terms of transparency and accessibility regarding cybersecurity matters.

Bug Bounty Program Degradation

Section titled “Bug Bounty Program Degradation”

Purpose: This scanner analyzes bug bounty program degradation for a given domain and company by checking various indicators such as presence of external platforms, scope exclusions, payout transparency, and formal program status.

What It Detects:

  • The presence of active bug bounty programs on external platforms like HackerOne or Bugcrowd.
  • Indicators of narrow scopes that may limit the effectiveness of a bug bounty program.
  • Lack of transparency in payouts, which might discourage security researchers from participating.
  • Programs that are either paused/suspended or exclusively contact-only, indicating potential limitations on external testing and reporting.

Inputs Required:

  • <domain>: The target domain to analyze.
  • <company_name>: The name of the company associated with the domain.

Business Impact: Identifying a degraded bug bounty program can significantly impact an organization’s security posture by highlighting potential limitations on vulnerability discovery and response. A well-defined and widely advertised bug bounty program is crucial for attracting external security researchers to contribute effectively, thereby enhancing overall security measures.

Risk Levels:

  • Critical: If multiple critical indicators are present (e.g., private or invitation-only programs with no active platform presence), the risk level is considered critical.
  • High: If high severity indicators such as paused/suspended programs or heavy exclusions are detected, the risk level is high.
  • Medium: For medium severity findings, conditions include multiple narrow scope indicators and poor payout transparency.
  • Low: Informational findings indicate a low risk level unless they suggest potential limitations on external testing and reporting.
  • Info: These are indicative of minimal impact with no significant security implications beyond the lack of an active bug bounty program.

Example Findings:

  1. A company has multiple narrow scope exclusions listed in their bug bounty rules, which may deter researchers from participating.
  2. The bug bounty program is marked as private and contact-only, severely limiting external testing capabilities.