How the trust score is calculated.

Each scan starts at a baseline of 60. We then query a panel of open OSINT sources in parallel and adjust the score based on what each one returns. The more sources respond, the higher the confidence rating.

Sources we check

All sources are public — no permission or scanning consent is required from the vendor.

Cloudflare DNS (DoH)

Reachability, email anti-spoofing

Confirms the domain resolves and reads SPF / DMARC TXT records.

TLS / HTTPS handshake

Encryption grade A / B / F

Verifies a valid certificate is served over HTTPS.

HTTP response headers

Web hardening posture

Inspects HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

Server / tech fingerprint

Technology disclosure

Reads disclosed Server and X-Powered-By headers.

RDAP (registry lookup)

Domain age & legitimacy

Pulls domain registration date and registrar.

crt.sh + Certspotter

Subdomain footprint

Counts certificates issued for the domain via Certificate Transparency logs.

Mozilla HTTP Observatory v2

Third-party security grade

Independent grade for web security configuration.

HSTS preload list

Transport security

Checks Chromium's preload list for forced HTTPS.

abuse.ch URLhaus

Malware history

Looks up known malware-hosting history (optional, requires free auth key).

Wikipedia (REST API)

Public profile / context

Detects brand notability via an article summary.

How signals adjust the score

Domain reachability

+5 if DNS resolves, −25 if it doesn't.

TLS / HTTPS

+12 grade A, +4 grade B, −20 if HTTPS is broken.

SPF email policy

+6 present, −8 missing.

DMARC policy

+8 present, −8 missing.

Security headers

+2 per header detected, with a 4-point baseline reduction.

Mozilla Observatory grade

+8 A, +4 B, 0 C, −6 D, −12 F.

HSTS preload

+4 if the domain is on the Chromium preload list.

Domain age (RDAP)

+6 if older than 5 years, +3 if 2–5 years, −6 if under 12 months.

Subdomain footprint (CT)

Small bonus for an established footprint, neutral otherwise.

URLhaus malware history

Heavy penalty (−25) if the domain appears in malware records.

Wikipedia presence

+2 small notability bonus if a brand article exists.

Optional questionnaire

Adjusts the OSINT base score by up to ±20 points and boosts confidence by up to 10%.

Bands & confidence

Final scores are clamped between 5 and 98. Bands: 75+ Low risk, 50–74 Medium risk, <50 High risk. Confidence is the share of OSINT sources that returned data on this scan, plus any boost from a completed supplier questionnaire.

Enriching the score with the supplier questionnaire

OSINT alone can only see what is publicly visible. The optional supplier questionnaire lets you capture controls that aren't observable from the outside — ISO 27001 certification, MFA enforcement, encryption at rest, incident response, sub-processor management, and more.

14 weighted questions

Covering Governance, Access, Data, Operations and Assurance.

Yes / Partial / No / Unsure

Each answer carries a weight that nudges the OSINT base score.

Score impact

Adjusts the trust score by up to ±20 points based on answered questions.

Confidence boost

A fully completed questionnaire adds up to +10% confidence on top of OSINT signal coverage.

Transparent breakdown

When answered, the scorecard shows the OSINT base score and the questionnaire delta separately.

Important caveat

Questionnaire answers are self-attested by the supplier and are not independently verified by VendorShield Lite. Before relying on questionnaire-adjusted scores for a procurement decision, you should validate the responses — for example by requesting evidence such as ISO 27001 / SOC 2 certificates, penetration test summaries, policy documents, or a signed declaration from the supplier. Treat any unverified answer with appropriate caution.

Try it on a vendor →