Skip to main content

Compliance Proof

What is a Compliance Proof?

A compliance proof is a document that demonstrates how your vulnerability disclosure program aligns with recognized security frameworks. It collects data from your Faultlean account — reports, reviews, assets, VDP policy, timeliness metrics — and maps that evidence against the controls required by each framework.

The output is a structured Markdown document with a unique document ID and a SHA-256 hash for integrity verification. It can be downloaded and shared with auditors, customers, or internal compliance teams.

When to Generate One

Common scenarios:

  • An auditor or customer asks for evidence that you have a functioning vulnerability disclosure program.
  • Your organization needs to demonstrate compliance with a specific framework (NIST 800-53, SOC 2, ISO 27001, etc.) as part of a certification or vendor assessment.
  • You want a periodic snapshot of your program's health for internal review.

What the Proof Contains

Each proof includes the following sections:

  1. Program Summary — report volume, disposition breakdown (validated, closed, duplicate, etc.), and a narrative summary.
  2. Timeliness — mean time to triage and mean remediation time by severity level.
  3. Program Attributes — whether a reward program is active, researcher acknowledgements, policy version, safe harbor language, SLA targets.
  4. Severity by Asset — a breakdown of vulnerability counts by asset and severity level.
  5. Framework Compliance — for each selected framework, a control-by-control assessment showing which controls are supported by your VDP evidence.
  6. Policy Documentation — a reference to your published VDP policy and its version.
  7. Asset Scope Register — all registered assets with their scope status, entry/exit dates, and criticality.
  8. Vulnerability Report Index — a table of all validated reports in the attestation period with severity, status, dates, and CVE/CWE references.
  9. KEV Cross-Reference — reports with CVE identifiers, for cross-referencing against the CISA Known Exploited Vulnerabilities catalog.
  10. Researcher Acknowledgements — researchers who have opted in to public acknowledgement.
  11. Supply Chain Disclosure — whether your VDP scope includes suppliers and third-party assets.

Generating a Proof

From the Compliance Proof page, click Generate Proof. You will be asked to select:

  • Attestation period — the date range for the proof. Preset options (this year, last year, last 12 months, last 6 months) are provided, or you can set custom dates.
  • Frameworks — the compliance frameworks to evaluate. Multiple frameworks can be selected. Each framework adds a section to the proof mapping your evidence against its controls.

Generation runs as a background job. When complete, the proof appears in the list with download links for both Markdown and CSV formats.

Supported Frameworks

Faultlean evaluates compliance against the following frameworks:

  • NIST SP 800-53 Rev. 5 — U.S. federal standard (SI-2, SI-5, RA-5, SA-11, IR-6)
  • FedRAMP — U.S. federal authorization (SI-2, RA-5, SI-5)
  • SOC 2 (AICPA TSC) — Industry trust services criteria (CC7.1, CC7.2, CC7.4, CC8.1)
  • ISO 27001:2022 — International information security standard (A.8.8, A.5.24, A.5.25, A.6.8)
  • GDPR — EU data protection regulation (Articles 32, 33)
  • PCI DSS v4.0 — Payment card industry standard (6.3.1, 6.3.3, 11.3.1, 12.10.5)
  • HIPAA Security Rule — U.S. health data protection (§164.308(a)(1), §164.308(a)(6), §164.312(a))

Each framework section shows a control-by-control status and an overall attestation statement.

Downloads

Completed proofs can be downloaded in two formats:

  • Markdown — the full proof document, suitable for rendering, archiving, or sharing with auditors.
  • CSV — a tabular export of the report data, useful for importing into spreadsheets or compliance tools.

Document Integrity

Each proof has a document ID and a SHA-256 hash computed from the Markdown content. To verify integrity, compute the hash of the downloaded file and compare it to the hash shown on the proof detail page.

Asset Data Quality

Before generating a proof, Faultlean checks whether your in-scope assets have the recommended fields filled in (URL, type, criticality). If any are incomplete, a warning is shown with links to edit them. You can still generate a proof with incomplete data, but the output will be less comprehensive.