What happens before we publish a bad grade.

A verdict you can trust is one that survived the maker seeing it first.

Anyone can publish a harsh score from behind a wall. It is easy and it is cheap, and it is why most ratings are not trusted. We do the harder thing. Before a negative finding goes live, we send it to the maintainer in full: the commands we ran, the output we saw, the grade, and the exact verdict text. If our test was wrong, we want to know before the world does, not after. If the finding is real, the maintainer gets a window to fix it. Either way, the result that publishes is one that stood up to the person with the most reason to argue.

This is not softness. The grade still publishes. It is what makes the grade worth believing.

The four steps, every time.

1. 1

   We notify first.

   Before any negative finding is published, we send the maintainer the complete evaluation. The package and version we tested, the environment, the exact calls, the exact output, the security flag, the grade and why, and the verdict text as it will appear on the entry. No summary, no surprise. The same evidence you would see, they see first.

2. 2

   A window for exploitable flaws.

   If the finding is a security flaw that someone could exploit, we hold publication for 14 days so the maintainer can ship a fix. Behavior that is already public and works as the package describes gets a shorter courtesy notice of 7 days, because there is nothing hidden to protect. If a maintainer is actively shipping a fix when the window closes, we extend it on request. We are trying to get the software fixed, not to win a race to publish.

3. 3

   Dispute and re-verification.

   The maintainer can dispute any finding at any time. If they show our test misread the server, we re-run it and correct the public record, visibly. If they ship a fix, we re-test against the new version and update the score. A correction is not a favor we grant. It is how the registry stays accurate, and it cuts toward a higher grade exactly as readily as toward a lower one.

4. 4

   We publish when the window closes.

   Reply or no reply, fix or no fix, the finding goes live when the window ends. Silence does not buy a veto. A registry that any maintainer can stall by ignoring it is not a registry, and it would fail the builders who rely on it to be current. We give a fair window. We do not give an indefinite one.

What you cannot do here.

You cannot pay to remove a finding, change a grade, or delay a publish date. There is no take-down process and no settlement. The window is for fixing the software or correcting our facts, and nothing else. The wall between money and the score is the whole product, and it stands here too. The only ways a grade moves are a real fix or a real error on our side.

The policy is public on purpose.

We publish this page for the same reason we publish the scoring method: so you can hold us to it. If we ever publish a negative finding without notifying the maintainer first, or quietly let someone buy their way out of a window, this page is the standard we broke. Pin it to us.