Verifiedapp Blog
Trust

Why we publish security reports publicly — even the red ones

· 2 min read
#transparency#trust-badge#trust-business

The problem with most trust badges

Anyone can put a green shield in their footer. There is nothing stopping a site from displaying a security badge it has no right to, and buyers know this, which is why a lot of badges quietly mean nothing. We did not want to add another sticker to the internet. So we made a deliberate choice: the report behind a badge is public, and it tells the truth.

Verifiable beats impressive

Trust comes from being checkable, not from looking good. When a VerifiedApp badge links to a public report, a prospect, a procurement team or a curious engineer can click through and see exactly what was tested and how it scored — no login, no taking our word, no taking the site's word. The badge is not a claim; it is a pointer to evidence. That is the entire difference between a trust signal that works and one that does not.

Why the report can show red

This is the part that surprises people: our reports can display failing findings, and we think they should. A badge that is only ever capable of saying pass is, by definition, not a verification of anything — it is decoration. The ability to show red is what makes a green result mean something. If the badge could not fail, passing would carry no information.

This also keeps us honest as a vendor. We are not in the business of handing out clean bills of health; we are in the business of measuring accurately and showing the measurement.

A few findings is more credible, not less

There is a counterintuitive truth here. A report showing a couple of Medium findings is often more trustworthy than a flawless one, because real, well-run sites usually sit at mostly-green-with-a-couple-of-mediums. Frameworks reintroduce small issues; new checks appear; configuration drifts. A perfect sheet can mean a perfect site — or a shallow check. An honest report that shows the small stuff signals a scan that is actually looking.

What stays private

Public does not mean reckless. The report shows what was checked and the result; it never publishes the plaintext of a secret we find — those are recorded only in masked form. The goal is to prove the security posture, not to hand an attacker a shopping list. Transparency about whether you are secure, discretion about the exact sensitive values.

Trust you can point at

If you have done the security work, a public, verifiable report is how you finally get credit for it — in a form your customers can confirm for themselves. Put the proof where it counts.

Related reading

FAQ

Why would I want my security report to be public?
Because a public report is verifiable, and verifiable trust is the only kind that moves a buyer. It answers security questions with evidence anyone can check, instead of a claim they have to believe. That is what turns a badge into a real trust signal.
Does a public report help attackers?
The report shows whether you are secure and what category any issues fall in, but never the plaintext of a secret — those are stored masked. It proves posture without handing over exploitable detail, which is the balance we deliberately strike.
Is it bad if my public report shows some findings?
No — a couple of Medium findings is normal and often reads as more credible than a suspiciously perfect report. Real sites drift; an honest report that shows the small stuff signals a scan that is genuinely looking, and the badge improves as you fix things.

Keep reading