(no title)

The reason for having security documentation isnt so that it can answer the questions the client has. No one will actually read it. The thing is, people have an unlimited appetite for wasting your time if it's free for them to do so. By pointing them at documentation and having them get back to you with questions, you're now making it their problem instead of yours. Some clients will say no, fill out the questionnaire. You can politely bow out with those clients. Others will glance at your docs and decided it's not worth it to them to figure out if you actually answer all their questions, so they'll just check the "security review complete" box in their buying process.