Trust Debt

Search a company to see their Trust Debt score

NIST NVD — CVEs

Vulnerability data sourced from the National Institute of Standards and Technology National Vulnerability Database (NIST NVD). CVE counts and severity scores reflect publicly disclosed vulnerabilities. Trust Debt scores are a derived metric and not endorsed by NIST.

CISA KEV

Known Exploited Vulnerabilities catalog maintained by the Cybersecurity and Infrastructure Security Agency (CISA). KEV entries indicate vulnerabilities with confirmed active exploitation in the wild. Inclusion increases Trust Debt weighting.

FIRST EPSS

Exploit Prediction Scoring System (EPSS) scores provided by the Forum of Incident Response and Security Teams (FIRST). EPSS estimates the probability a CVE will be exploited within 30 days. Higher EPSS scores amplify Trust Debt trajectory.

CISA Secure by Design Pledge

The CISA SBDP ✓ badge indicates a software manufacturer has voluntarily signed the CISA Secure by Design pledge, committing to measurable progress on memory-safe languages, default security settings, and reducing CVE classes. Signatory list sourced from cisa.gov and refreshed monthly. Signing the pledge does not guarantee security.

Have I Been Pwned — Breaches

Breach data sourced from Have I Been Pwned (HIBP), a public service cataloging confirmed data breaches. The B factor in the Trust Trajectory formula is weighted by breach PwnCount (number of affected accounts) with a 12-month halflife decay — recent breaches carry full weight while older incidents diminish over time. Matching uses company name, domain, and configured aliases to capture parent/subsidiary relationships (e.g. Meta → Facebook). Breach data is informational and does not imply ongoing vulnerability.