Trust Debt™|VENDOR SECURITY INTELLIGENCE
Vendor Security Intelligence

Every vendor you rely on
has a vulnerability backlog.

Trust Debt™ quantifies it. We track CVE history, exploit activity, breach records, and trajectory trends — then distill it into a single grade you can actually act on.

70%
of enterprise breaches involve a vendor or third-party component
365
days — the rolling CVE window each vendor is scored over
1,000+
CVEs in CISA KEV — each one confirmed as actively exploited
Methodology

The Trust Debt™ Formula

A single score built from the averageseverity of a vendor's recent CVEs — weighted by recency, remediation, real-world exploitation, breach history, and trend, then scaled gently by volume. Size-normalised on purpose, so a large, transparent vendor isn't punished for disclosing. Updated nightly from four public data sources.

TrustScore = MeanDebt × δ × R × K × P × B × log(CVEs)
Every multiplier is bounded — no single factor can run away. Lower score = better grade.
Debt
Mean CVE Debt
The average debt of a vendor's CVEs in the last 365 days — severity, weighted by recency (18-month half-life) and halved when a fix or advisory is published. A mean, not a sum, so large vendors are not penalised for transparency.
δ
Delta
Trend: this year's mean debt over last year's, clamped to 0.5–2×. Below 1.0 the vendor is improving; above 1.0 it is deteriorating.
R
Recurrence
The share of the window that is Critical or High severity — a systemic-failure signal. Bounded, so it cannot run away with volume.
K
Exploited (KEV)
The share of CVEs on the CISA Known Exploited Vulnerabilities list, with extra weight for ransomware-linked entries. Real-world exploitation, bounded.
P
EPSS
The mean FIRST EPSS probability across Critical/High CVEs — the chance they are exploited in the next 30 days. Bounded.
B
Breach
HIBP-matched breach history: incidents and records exposed, time-decayed with a 12-month half-life. Bounded.
Vol
Volume
A log-damped count of recent CVEs. Volume still matters — more surface, more patching — but log-scaled so it can never dominate the score.
Grading

From A to F

A
CONTAINED
Low-intensity vulnerability profile
B
LOW
Below average for the tracked field
C
MODERATE
Carrying moderate disclosure debt
D
ELEVATED
A real backlog of unresolved risk
F
SEVERE
Severe, recurring high-severity exposure
Features

Four ways to explore

Live Leaderboard
All tracked vendors ranked by Trust Trajectory. Trading-card format — flip through grades, CVE counts, KEV hits, and breach history at a glance.
Open Leaderboard →
Head-to-Head Compare
Put two vendors side by side — trajectory delta, severity breakdown, KEV exposure, EPSS scores, and breach history on a single screen.
Compare Vendors →
Weakness Intelligence
Industry-wide CWE pattern analysis. See which classes of vulnerability recur across vendors, which are actively exploited in the wild, and who the worst offenders are.
Explore Weaknesses →
$
Bug Bounty Programs
See which vendors run a paid bug bounty or a vulnerability disclosure program, across ten platforms — HackerOne, Bugcrowd, Intigriti, Synack, Immunefi and more. Know before you disclose.
View Bounty Programs →
Data Sources

Four independent signals

No proprietary threat feeds. Every score is computable from public, authoritative data — updated nightly via Cloudflare Workers.

NIST NVDCVE Database

National Vulnerability Database — every published CVE with severity scores, descriptions, and CWE classifications.

CISA KEVExploitation Catalog

Known Exploited Vulnerabilities — CVEs confirmed as actively exploited in the wild, maintained by the US Cybersecurity agency.

FIRST EPSSExploit Prediction

Exploit Prediction Scoring System — daily probability scores for every CVE being exploited in the next 30 days.

HIBPBreach History

Have I Been Pwned dataset — matched to vendors by domain and keyword to surface breach history and affected record counts.

Honesty

What it can't tell you

Trust Debt™ is a directional signal from public data, not a verdict. The honest limits:

Disclosure ≠ exposure
A CVE being published doesn't mean any given deployment is vulnerable or unpatched. We measure disclosed risk, not your installed reality.
Remediation is a proxy
The patch down-weight keys off NVD reference tags (Patch / Vendor Advisory) — evidence a fix exists, not proof every user has applied it.
Attribution is keyword-based
Vendors are matched to CVEs by keyword. Broad or shared names (e.g. "Linux") can over- or under-count. Treat outliers with skepticism.
Bounded, not precise
Every factor is capped and the model is robust to its own parameters — good for ranking and triage, not a number to put in a contract.
Public sources only
NVD, CISA KEV, FIRST EPSS, HIBP. No private telemetry, no pen-test results, no SBOM. It sees what's public and nothing more.
Not a risk assessment
A useful conversation starter and comparison tool — not a substitute for a formal third-party / vendor security review.
Start Exploring

How much do you trust
your vendors?

Search any vendor. Compare alternatives. Spot the weakness patterns lurking across your supply chain.

VIEW LEADERBOARD →WEAKNESS INTEL →