Vendor Security Scorecards

Vendor Scorecards help you compare the security responsiveness of software vendors based on their CVE history. Available at wtfisthiscve.com/vendors.

How Scores Are Calculated

Each vendor receives a score from 0-100, starting at 100 with deductions for:

Factor	Max Deduction	How It's Measured
Slow response time	-30 points	Average days to patch (>90 days)
Unpatched CVEs	-25 points	Percentage of CVEs with no fix or mitigation
Critical gaps	-25 points	CVEs with exploits but no detection (-5 each)
Incomplete fixes	-10 points	Percentage of partial patches

Response Time Grades

Grade	Average Response Time
A	Less than 7 days
B	7-30 days
C	30-90 days
D	90-180 days
F	Over 180 days

What Counts as "Patched"?

We track four patch statuses:

Status	Description	Counted as Patched?
Available	Full patch released	Yes
Partial	Incomplete fix (some variants addressed)	Partial credit
Workaround	Mitigation available, no patch	Yes (not penalized)
Not Available	No fix or mitigation	No

Why Workarounds Count

A key nuance: vendors are NOT penalized for CVEs that have workarounds or mitigations, even without a formal patch.

This reflects reality:

Some vulnerabilities don't require code changes (e.g., configuration-based mitigations)
Workarounds can be as effective as patches for certain issue types
What matters is whether users can protect themselves

We detect workarounds from:

NVD references tagged as "Mitigation" or "Workaround"
CISA KEV remediation actions mentioning mitigations
Description keywords indicating mitigations exist

Vendor Name Normalization

Vendors appear under different names in CVE data (e.g., "Microsoft Corporation" vs "Microsoft"). We normalize these to canonical names so all CVEs for a vendor are grouped together.

Examples:

"Microsoft Corporation", "Microsoft Corp." → Microsoft
"Google LLC", "Google Inc." → Google
"The Apache Software Foundation" → Apache

Metrics Explained

Total CVEs

Count of CVEs associated with the vendor's products in our database.

Average Response Days

Mean time from CVE publication to patch availability, calculated only for CVEs that have patches.

Patch Rate

Percentage of CVEs with a full patch available:

patch_rate = (patched_count / total_cves) * 100

Critical Gap Count

Number of CVEs where:

Exploits exist (in Metasploit, ExploitDB, CISA KEV, etc.)
No detection available (OSV, Nuclei, Sigma, etc.)
Severity is HIGH or CRITICAL

These represent blind spots where attacks may go undetected.

Data Coverage

Vendor scorecards are based on CVEs we've processed, which includes:

All CRITICAL, HIGH, and MEDIUM severity CVEs from the last 30 days
Older CVEs processed through backfill

We show coverage percentages on vendor pages so you know how complete the data is.

Limitations

Not all vendors have sufficient data - We require minimum 5 CVEs to display a scorecard
Patch detection is imperfect - Some patches may not be tagged in NVD
New CVEs may not have patch data yet - Patch status updates as vendors respond
Different vendor sizes - A vendor with 2,000 CVEs vs 10 CVEs aren't directly comparable

Using Scorecards

Vendor scorecards are useful for:

Procurement decisions - Compare security responsiveness before choosing software
Risk assessment - Identify vendors that may need closer monitoring
Trend analysis - Track if a vendor's security posture is improving
Research - Understand industry-wide patterns in vulnerability response

How Scores Are Calculated​

Response Time Grades​

What Counts as "Patched"?​

Why Workarounds Count​

Vendor Name Normalization​

Metrics Explained​

Total CVEs​

Average Response Days​

Patch Rate​

Critical Gap Count​

Data Coverage​

Limitations​

Using Scorecards​