• What format should I use for sending timestamps?

Any field marked as date-time must conform to the RFC3339 format (e.g. “2022-06-15T12:32:44Z”).
Vanta does not retain fractional seconds in timestamps.

  • How does severity for vulnerabilities map to classification (low, medium, high and critical)?

Vulnerability resources correspond to known CVEs. CVE severities map to classifications as follows:

0.1-3.9: Low

4.0-6.9: Medium

7.0-8.9: High

9.0-10.0: Critical