Skip to content
TruthVouch Docs

Penetration Testing

TruthVouch undergoes regular independent penetration testing to identify and fix security vulnerabilities before they can be exploited.

Testing Schedule

We conduct penetration testing:

  • Annual: Comprehensive external and internal testing (Q1)
  • Semi-Annual: Application security assessment (Q3)
  • Ongoing: Vulnerability scanning (weekly)
  • On-Demand: For major releases or after incidents

Scope of Testing

Systems Tested

  • Web application (truthvouch.com)
  • Public APIs (api.truthvouch.com)
  • Authentication mechanisms
  • Data storage and encryption
  • Network infrastructure
  • Third-party integrations

Testing Types

  • Black-Box Testing: Simulating external attacker
  • White-Box Testing: Internal security review
  • Social Engineering: Employee awareness testing
  • Cloud Security: AWS configuration review
  • API Security: OAuth, JWT, rate limiting

Out of Scope

  • Third-party services
  • User-launched attacks
  • Vulnerabilities requiring physical access
  • Social engineering of customers (with permission only)

Latest Assessment Results

Most Recent Pentest: Q1 2024

  • Performed By: NCC Group (independent third-party)
  • Date: January 15-26, 2024
  • Duration: 10 business days
  • Testers: 3 senior penetration engineers

Findings Summary

  • Critical: 0 issues
  • High: 1 issue (promptly fixed)
  • Medium: 3 issues (all addressed)
  • Low: 7 issues (documentation/process improvements)
  • Info: 5 observations

Critical Issues Fixed

None identified in latest assessment.

High Severity Issues

  1. API Rate Limiting — Insufficient rate limits on verification endpoint
    • Fix: Implemented per-user rate limiting (100 requests/min)
    • Deployed: January 29, 2024
    • Verified: February 2, 2024

Medium Severity Issues

  1. Session Timeout — Session tokens didn’t expire after 8 hours

    • Fix: Implemented 30-minute timeout with refresh tokens
    • Status: Fixed

  2. CORS Configuration — Overly permissive CORS headers

    • Fix: Whitelisted specific trusted origins
    • Status: Fixed

  3. Dependency Vulnerabilities — Outdated npm dependencies

    • Fix: Updated all dependencies to latest secure versions
    • Status: Fixed

Previous Assessments

DateFirmTypeCriticalHighMedium
Q1 2024NCC GroupFull013
Q3 2023DeloitteApp024
Q1 2023CoalfireFull015

Vulnerability Remediation

When pentesting identifies issues:

  1. Severity Assessment (same day)
  2. Fix Development (hours to days depending on severity)
  3. Testing & QA (2-5 days)
  4. Deployment (1-7 days based on risk)
  5. Post-Verification (24 hours after deployment)

Remediation Times

  • Critical: Fix within 24 hours, deploy within 48 hours
  • High: Fix within 72 hours, deploy within 1 week
  • Medium: Fix within 2 weeks, deploy within 1 month
  • Low: Fix within 1 month, deploy within 90 days

Continuous Security Monitoring

Beyond pentesting, we continuously monitor:

Automated Scanning

  • Weekly vulnerability scans using Nessus and Qualys
  • Daily dependency checks for known vulnerabilities
  • Real-time threat detection with WAF and IDS
  • Code analysis on every commit (SAST/DAST)

Third-Party Monitoring

  • Software composition analysis (SCA) for supply chain security
  • API gateway logs reviewed for attack patterns
  • DNS/WHOIS monitoring for domain takeover attempts
  • Dark web monitoring for leaked credentials

Team Reviews

  • Monthly security reviews of critical systems
  • Quarterly architecture reviews for security design
  • Annual security training for all engineering staff

Compliance with Standards

Our penetration testing adheres to:

  • OWASP Testing Guide v4 — Best practices for web app testing
  • PTES (Penetration Testing Execution Standard) — Framework for engagements
  • NIST — Federal information security standards
  • PCI DSS — Payment card security testing requirements

Report Distribution

Pentesting reports are:

  • Provided to customers upon request (under NDA)
  • Shared with board/auditors for oversight
  • Summarized publicly at status.truthvouch.com
  • Detailed findings available to enterprise customers

Request a pentest report: compliance@truthvouch.com

Security Patches

When vulnerabilities are discovered:

  1. Immediate Fix — Critical issues patched within 24 hours
  2. Staged Rollout — 5% → 25% → 100% over 24-48 hours
  3. Customer Notification — Email + dashboard alert
  4. Verification — Post-deployment testing confirms fix
  5. Documentation — Security advisory published

Continuous Improvement

After each assessment, we:

  • Review root causes
  • Update security controls
  • Improve developer security training
  • Enhance automated scanning rules
  • Update incident response procedures

Bug Bounty Program

In addition to formal pentesting, we operate a responsible disclosure program where external researchers can report vulnerabilities and earn rewards.

Questions?