SupplierClear
← Trust center

Penetration test schedule

Policy

External penetration test at least **annually** and after material architecture changes.

2026 schedule

| Window | Scope | Status | |--------|-------|--------| | Q2 2026 | Web app + API v1 + auth flows | Scheduled | | Q4 2026 | Enterprise SSO + billing webhooks | Planned |

Scope (minimum)

- OWASP Top 10 on `apps/web` - API key brute-force / rate limit bypass - IDOR on assessments, reports, evidence presign - Webhook signature validation (Stripe, Paystack) - SSRF on external integration adapters

Remediation

Findings tracked in GitHub Security tab. Critical/High fixed before next release train.

Safe claims

Do **not** market "pen tested" until report is complete. This document is internal readiness only.