← Back to the page

This is the report you receive for every vendor. Real data, anonymised.

VendoReport

Vendor Risk Report

fornitore-erp.it

7.4 HIGH
Assessed entity fornitore-erp.it
Vendor role ERP provider · business critical (per client classification)
Scope External passive attack-surface assessment · point-in-time
Assessment date 2026-06-06
Valid through 2026-09-06 · re-verify quarterly
Methodology VR-EXT v1.2
Assessed by VendoReport security analysis team
Report ID VR-2026-0606-ERP

NIS2 · Art. 21

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 1/7

1 · Executive summary

This summary highlights the highest-impact findings observable from outside. The full set of 4 findings is in section 2; scope and limitations in section 5.

  1. 1

    A database port (3306) responds from the public internet. It is the main driver of the HIGH score.

  2. 2

    The company appears in 2 known data breaches (2021, 2023). Some credentials may be circulating.

  3. 3

    Email anti-spoofing protection (SPF) is not configured. Phishing in this vendor’s name is easier than it should be.

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 2/7

2 · Technical findings

HIGH

Database service potentially exposed

port 3306 (MySQL) responding
Source: Passive host record Collected: 2026-06-06 09:14 UTC Reference: Art. 21(2)(d) · CIR Annex 5.3 (monitoring evidence) Status: Open · action requested

Ask the vendor to restrict database access to a private network.

HIGH

Known breach exposure

2 breaches: 2021, 2023
Source: Public breach index Collected: 2026-06-06 09:15 UTC Reference: Art. 21(2)(d) Status: Open · action requested

Ask for confirmation that the affected credentials were rotated.

MEDIUM

TLS configuration needs updating

grade B · TLS 1.0 enabled
Source: TLS probe Collected: 2026-06-06 09:16 UTC Reference: Art. 21(2)(h) Status: Open · action requested

Request support for TLS 1.2 or higher only.

MEDIUM

Email authentication incomplete

SPF record missing
Source: DNS TXT lookup Collected: 2026-06-06 09:16 UTC Reference: Art. 21(2)(g) Status: Open · action requested

Request SPF, DKIM and DMARC configuration.

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 3/7

3 · NIS2 and CIR mapping

Art. 21(2)(d) Gap detected (2 HIGH findings)

Supply-chain security

Art. 21(3) Partially assessed · external vulnerabilities only (see Limitations)

Supplier-specific vulnerabilities and practice quality

Art. 21(2)(f) Documented by this report

Effectiveness assessment

Art. 22(1) Out of scope · not a substitute (see Limitations)

Coordinated critical supply-chain assessments

CIR (EU) 2024/2690 Annex 5.1.2 Mapped where applicable

Supplier selection criteria

CIR Annex 5.3 Per-finding evidence attached

Documented evidence of monitoring

ACN Det. 127437/2026 Mapped for the annual ACN declaration

Relevant-supplier declaration

ACN Det. 127437/2026 is a supplier-declaration obligation, not a security standard. Baseline measures are set by ACN Det. 379907/2025; technical supply-chain controls by Implementing Regulation (EU) 2024/2690, Annex 5.

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 4/7

4 · Remediation

The requests to forward to the vendor, in priority order:

01

Restrict database access (port 3306) to a private network.

Owner: Vendor Severity: HIGH Status: Requested 2026-06-06 Re-verify: On next scan
02

Confirm rotation of the credentials involved in the 2021 and 2023 breaches.

Owner: Vendor Severity: HIGH Status: Requested 2026-06-06 Re-verify: On next scan
03

Disable TLS 1.0 and support only TLS 1.2 or higher.

Owner: Vendor Severity: MEDIUM Status: Requested 2026-06-06 Re-verify: On next scan
04

Configure SPF, DKIM and DMARC records.

Owner: Vendor Severity: MEDIUM Status: Requested 2026-06-06 Re-verify: On next scan

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 5/7

5 · Methodology, scope and limitations

VendoReport produces an external, passive assessment of the vendor public attack surface. It does not log into vendor systems, does not run intrusive tests, and does not replace an internal audit.

Severity scale

LOW 0.0 to 3.9 Minor hygiene gap, low exposure.
MEDIUM 4.0 to 6.4 Should be fixed, limited direct exposure.
HIGH 6.5 to 8.4 Material exposure, request remediation.
CRITICAL 8.5 to 10 Directly exploitable exposure, act now.

Data sources

  • Passive DNS and certificate transparency
  • Public data breach indices
  • Service banners on exposed ports
  • Email authentication records (SPF, DKIM, DMARC)

Limitations

  1. 01 This is an external, passive view of the public attack surface, not a full security audit.
  2. 02 IP and host attribution carry a confidence margin and may include shared infrastructure.
  3. 03 Findings describe what is potentially exposed, not what is confirmed exploitable.
  4. 04 Supplier secure-development practices (Art. 21(3)) are outside passive scope: they require questionnaires or contract review.
  5. 05 This report does not substitute the coordinated assessments under NIS2 Art. 22(1).
  6. 06 Results are valid as of the assessment date above. Re-verify quarterly or on material change.

Assessment performed by the VendoReport security analysis team using the VR-EXT v1.2 methodology.

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 6/7

6 · Regulatory references

Directive (EU) 2022/2555 (NIS2)

Art. 21, cybersecurity risk-management measures.

D.lgs. 138/2024

Italian transposition of NIS2.

Implementing Regulation (EU) 2024/2690

Annex 5, technical supply-chain controls.

ACN Det. 379907/2025

Baseline security measures, from 15 January 2026.

ACN Det. 127437/2026

Relevant-supplier declaration to ACN, window 15 April to 31 May.

VendoReport · VR-EXT v1.2 · report VR-2026-0606-ERP · 2026-06-06 p. 7/7

This is what you receive for every vendor.

Get yours for €49

Not an automated scan: verified by an analyst · No account · Money-back guarantee