Skip to main content

Accuracy

Description#

90% of the severity of vulnerabilities is detected and has some level of risk.

Criteria#

All of the following aspects are necessary conditions for the application of the service-level agreements:

  1. The group has a SQUAD plan,
  2. Both the environment and the source code are accessible,
  3. The environment is pair to the code, i.e., the environment corresponds to the provided branch,
  4. Stable environment (80% of business days with no open eventualities),
  5. Complete dataset for the corresponding use case,
  6. Remote access with no human intervention (no captcha, OTP, etc.),
  7. 100% health check was performed to a group potentially affected by a false negative,
  8. Average of 400 weekly changes per author since service started up to the potential false negative report.

Details#

Besides the general measurement aspects, this SLA is measured taking into account the following:

  1. The severity of vulnerabilities are calculated using CVSSF = 4^(CVSS-4),
  2. The accuracy is calculated based on the false positives, false negatives and the F-Score model,
  3. Black vulnerabilities detectable only via source code are not considered false negatives.