Skip to content
TruthVouch Docs

Penetration Testing

TruthVouch undergoes regular independent penetration testing to identify and fix security vulnerabilities before they can be exploited.

Testing Schedule

We conduct penetration testing:

  • Comprehensive: External and internal testing
  • Application Security: Assessment across systems
  • Ongoing: Vulnerability scanning (weekly)
  • On-Demand: For major releases or after incidents

Scope of Testing

Systems Tested

  • Web application (truthvouch.com)
  • Public APIs (api.truthvouch.com)
  • Authentication mechanisms
  • Data storage and encryption
  • Network infrastructure
  • Third-party integrations

Testing Types

  • Black-Box Testing: Simulating external attacker
  • White-Box Testing: Internal security review
  • Social Engineering: Employee awareness testing
  • Cloud Security: AWS configuration review
  • API Security: OAuth, JWT, rate limiting

Out of Scope

  • Third-party services
  • User-launched attacks
  • Vulnerabilities requiring physical access
  • Social engineering of customers (with permission only)

Assessment Results

Initial penetration testing is planned. Results will be published here upon completion of the assessment and any remediation work.

Vulnerability Remediation

When pentesting identifies issues:

  1. Severity Assessment (same day)
  2. Fix Development (hours to days depending on severity)
  3. Testing & QA (2-5 days)
  4. Deployment (1-7 days based on risk)
  5. Post-Verification (24 hours after deployment)

Remediation Times

  • Critical: Fix within 24 hours, deploy within 48 hours
  • High: Fix within 72 hours, deploy within 1 week
  • Medium: Fix within 2 weeks, deploy within 1 month
  • Low: Fix within 1 month, deploy within 90 days

Continuous Security Monitoring

Beyond pentesting, we continuously monitor:

Automated Scanning

  • Weekly vulnerability scans using Nessus and Qualys
  • Daily dependency checks for known vulnerabilities
  • Real-time threat detection with WAF and IDS
  • Code analysis on every commit (SAST/DAST)

Third-Party Monitoring

  • Software composition analysis (SCA) for supply chain security
  • API gateway logs reviewed for attack patterns
  • DNS/WHOIS monitoring for domain takeover attempts
  • Dark web monitoring for leaked credentials

Team Reviews

  • Monthly security reviews of critical systems
  • Quarterly architecture reviews for security design
  • Annual security training for all engineering staff

Compliance with Standards

Our penetration testing adheres to:

  • OWASP Testing Guide v4 — Best practices for web app testing
  • PTES (Penetration Testing Execution Standard) — Framework for engagements
  • NIST — Federal information security standards
  • PCI DSS — Payment card security testing requirements

Report Distribution

Pentesting reports are:

  • Provided to customers upon request (under NDA)
  • Shared with board/auditors for oversight
  • Detailed findings available to enterprise customers

Request a pentest report: [email protected]

Security Patches

When vulnerabilities are discovered:

  1. Immediate Fix — Critical issues patched within 24 hours
  2. Staged Rollout — 5% → 25% → 100% over 24-48 hours
  3. Customer Notification — Email + dashboard alert
  4. Verification — Post-deployment testing confirms fix
  5. Documentation — Security advisory published

Continuous Improvement

After each assessment, we:

  • Review root causes
  • Update security controls
  • Improve developer security training
  • Enhance automated scanning rules
  • Update incident response procedures

Bug Bounty Program

In addition to formal pentesting, we operate a responsible disclosure program where external researchers can report vulnerabilities and earn rewards.

Questions?