Methodology · v3.2

SVDVulnerability Disclosure

Vulnerability disclosure quality for {legal_name} in the last 24 months. EXTRACTION RULES: NEGATIVE-SIGNAL composite. Search NVD (nvd.nist.gov), MITRE CVE feed, vendor advisory page (security.<vendor>.com or product-security.<vendor>.com), HackerOne / Bugcrowd disclosure programs. ENTITY-MATCH (mandatory): only count CVE records whose CPE vendor/product corresponds to {legal_name}'s own products — DISCARD CVEs from a homonymous vendor or same-named product of a different company; if you cannot entity-match the CVE set to {legal_name}, treat it as zero vendor-specific CVEs, not as the homonym's record. Return type="composite_signal" with up to 3 sub-signals; each sub-signal MUST carry an EXPLICIT 0-100 value + a source_url backing it (the server applies composite_signal_score = weighted mean of the 0-100 values; it does NOT recompute any bucket — emit the final 0-100 yourself per the guidance below): (a) cve_disclosure_transparency — assess vulnerability-handling transparency from the entity-matched CVE record over the window. Use this DIRECTIONAL guidance to set the 0-100 value yourself (it is NOT monotonic in raw count — both opacity and chaos score low, a healthy disciplined disclosure cadence scores high): a vendor with a steady 1-5 CVEs/2y AND published advisories = ~80; 6-15 with advisories = ~70; 16-50 = ~55; 50+ = ~35; ZERO entity-matched CVEs is ambiguous (clean record OR opacity) → value ~50 (deliberately NEUTRAL, not a penalty) and STATE which interpretation in _reasoning. (b) critical_disclosure_speed — from the median days between vendor-issued patch and public CVE disclosure across critical (CVSS≥9) CVEs in window, set the 0-100 value: <7d→90, 7-30d→70, 30-90d→50, 90d+→25; if no critical CVEs in window, OMIT this sub-signal (do not emit a null). (c) bug_bounty_program — set the 0-100 value: 80 if an active program with disclosed payouts (HackerOne/Bugcrowd), 50 if a program exists but is minimal. If NO public bug-bounty program is located, OMIT this sub-signal entirely (do NOT emit 20): absence of a public program is common and legitimate (private programs, third-party pentests, small vendors) and is NOT a measured negative — scoring it 20 fabricates a penalty from non-disclosure (CLAUDE.md #4/#5). Reserve a low value (~20) ONLY for an affirmatively-evidenced refusal / absence of any vuln-handling process. Cite NVD search URL + vendor advisory page + (where applicable) HackerOne program URL. Emit at least 2 of the 3 sub-signals (server requires min_signals 2 — omitting unfavourable sub-signals to inflate the mean is rejected; omitting a sub-signal whose evidence is genuinely absent is correct, since the removed signal is not a high value).