To maintain the integrity of its Security Ratings and industry research, BitSight Technologies follows a strict code of conduct, as outlined below:
- Provide transparency about the security ratings process.
- Standardize treatment for customers and noncustomers.
- Practice responsible disclosure, including not sharing sensitive information with other companies without authorization.
- Provide a formal ratings appeals process, including access to an independent ombudsman.
- Accept payment only from the company purchasing a rating, not the company being rated (although a company can buy its own rating).
- Facilitate participation and engagement with standards bodies and regulators.
BitSight firmly believes that integrity is the mark of a true security ratings authority.
BitSight does not share sensitive information (e.g. IP details or event forensics) with other companies without authorization, nor do we publicly discuss specific ratings of companies via public forums (e.g. news outlets, industry events, etc.). We believe that we can provide valuable insight into security posture through aggregate and industry trends. We do not believe in discussing companies publicly without consent, as this can pose a security risk to an organization. Transparency in the name of press coverage is irresponsible and counterproductive.
BitSight’s forensic details provide customers with information on compromised IP addresses, malware server names, destination IP addresses, ports, host names, and more for their own network. BitSight will grant any third party (whether or not a customer) access to its rating for a limited period of time at no cost.
We also believe that responsible disclosure includes collaboration with law enforcement and governmental organizations in compliance with applicable law.
A trusted ratings firm must offer a formal appeals process and an independent third party verifying that the appeals process is fair and unbiased. Organizations may wonder whether BitSight Security Ratings are applied consistently and uniformly across all companies. While we are confident in the quality of our data, we believe that any organization using BitSight Security Ratings should have a way to properly dispute its ratings. The BitSight ombudsman reviews issues of accuracy, fairness, and balance regarding BitSight Security Ratings. The ombudsman recommends approaches to address any issue and update BitSight data or processes as necessary via a formal appeals process. For more information, see https://www.bitsighttech.com/ombudsman.