Responsible Disclosure Policy

To maintain the integrity of its Security Ratings and industry research, BitSight Technologies follows a strict code of conduct, as outlined below:

  • Provide transparency about the security ratings process.
  • Standardize treatment for customers and noncustomers.
  • Practice responsible disclosure in how we share ratings.
  • Provide a process for appealing ratings content (for customers and noncustomers), including access to an independent ombudsman.
  • Enable any rated organization (including noncustomers) to get access to their rating details.
  • Facilitate participation and engagement with standards bodies, regulators and governmental bodies and is a signatory to the Principles for Fair and Accurate Security Ratings.

BitSight firmly believes that integrity is the mark of a true security ratings authority.

We believe in providing transparency about our ratings and we provide information in our portal about how ratings are calculated (i.e. which risk vectors were considered and their relative weighting) in our Knowledge Base.  When we change our algorithms, we provide advance notice and demonstrate how such change will impact ratings.

We treat customers and noncustomers the same—our algorithms do not take into account whether an entity is a customer or not.  In addition, we provide free access to our ratings for a limited period of time to all rated entities and will always work with any rated entity to improve the accuracy of its rating, regardless of whether it is a paying customer.

We do not publicly discuss specific ratings of companies via public forums (e.g. news outlets, industry events, etc.). We believe that we provide valuable insight into security through aggregate and industry trends.  We do not believe in discussing a company’s rating publicly without permission, as this can pose a security risk to an organization.

While we are confident in the quality of our data, we believe that any organization using BitSight Security Ratings should have a way to dispute its ratings formally if it is ultimately not satisfied with the response it receives from BitSight. BitSight has engaged an independent ombudsman that can be engaged by a rated entity free-of-charge, who reviews issues of accuracy, fairness, and balance regarding BitSight Security Ratings.  The ombudsman will review the information presented and will recommend the appropriate approach for BitSight to take.  For more information, see

We also believe that responsible disclosure includes collaboration and sharing of information with law enforcement and governmental organizations and we offer our Sovereign Ratings product to help support these goals.  We are also a signatory to the Principles for Fair and Accurate Security Ratings.


Last updated: September 2018
Reviewed:  Annually

See BitSight Security Ratings in action.

We’d love to show you how you can simplify your risk management and take charge of your cybersecurity with these intuitive and powerful solutions.

Request A Demo