Trust Debt™|VENDOR SECURITY INTELLIGENCE
WEAKNESSESBUG BOUNTYCOMPARELEADERBOARD
Vendor Security Intelligence

Every vendor you rely on
has a vulnerability backlog.

Trust Debt™ quantifies it. We track CVE history, exploit activity, breach records, and trajectory trends — then distill it into a single grade you can actually act on.

OPEN LEADERBOARD →HOW IT WORKS
ACONTAINED
BMODERATE
CELEVATED
DHIGH RISK
FSEVERE
70%
of enterprise breaches involve a vendor or third-party component
119
days — the NVD CVE window Trust Debt tracks per vendor
1,000+
CVEs in CISA KEV — each one confirmed as actively exploited
Methodology

The Trust Debt™ Formula

A single score that compounds vulnerability severity, age, recurrence patterns, real-world exploitation, and breach history — updated nightly from four independent data sources.

TrustTrajectory = TD × δ × R × K × P × B
Lower score = less debt = better grade
TD
Trust Debt
Sum of (severity × age) for every CVE in the last 365 days. Older unpatched CVEs accumulate more debt than recent ones.
δ
Delta
Ratio of current-year debt to prior-year debt. Below 1.0 means the vendor is improving; above 1.0 means things are getting worse.
R
Recurrence
Penalises vendors that keep producing Critical and High severity CVEs — a signal of systemic rather than one-off failures.
K
KEV Factor
Multiplier for CVEs on the CISA Known Exploited Vulnerabilities list — real-world exploitation is weighted 1.3× per CVE.
P
EPSS Factor
Scales with the FIRST Exploit Prediction Scoring System probability that a CVE will be exploited in the next 30 days.
B
Breach Factor
HIBP-matched breach history: number of incidents and records exposed, time-decayed with a 12-month half-life.
Grading

From A to F

A
CONTAINED
Low trajectory, improving or stable trend
B
MODERATE
Average for the cohort, manageable debt
C
ELEVATED
Carrying notable disclosure debt
D
HIGH RISK
Large unpatched backlog, poor trajectory
F
SEVERE
Persistent, high-severity exposure history
Features

Three ways to explore

Live Leaderboard
All tracked vendors ranked by Trust Trajectory. Trading-card format — flip through grades, CVE counts, KEV hits, and breach history at a glance.
Open Leaderboard →
Weakness Intelligence
Industry-wide CWE pattern analysis. See which classes of vulnerability recur across vendors, which are actively exploited in the wild, and who the worst offenders are.
Explore Weaknesses →
Head-to-Head Compare
Put two vendors side by side — trajectory delta, severity breakdown, KEV exposure, EPSS scores, and breach history on a single screen.
Compare Vendors →
Data Sources

Four independent signals

No proprietary threat feeds. Every score is computable from public, authoritative data — updated nightly via Cloudflare Workers.

NIST NVDCVE Database

National Vulnerability Database — every published CVE with severity scores, descriptions, and CWE classifications.

CISA KEVExploitation Catalog

Known Exploited Vulnerabilities — CVEs confirmed as actively exploited in the wild, maintained by the US Cybersecurity agency.

FIRST EPSSExploit Prediction

Exploit Prediction Scoring System — daily probability scores for every CVE being exploited in the next 30 days.

HIBPBreach History

Have I Been Pwned dataset — matched to vendors by domain and keyword to surface breach history and affected record counts.

Start Exploring

How much do you trust
your vendors?

Search any vendor. Compare alternatives. Spot the weakness patterns lurking across your supply chain.

VIEW LEADERBOARD →WEAKNESS INTEL →