← Trust center
Penetration test schedule
Policy
External penetration test at least **annually** and after material architecture changes.
2026 schedule
| Window | Scope | Status |
|--------|-------|--------|
| Q2 2026 | Web app + API v1 + auth flows | Scheduled |
| Q4 2026 | Enterprise SSO + billing webhooks | Planned |
Scope (minimum)
- OWASP Top 10 on `apps/web`
- API key brute-force / rate limit bypass
- IDOR on assessments, reports, evidence presign
- Webhook signature validation (Stripe, Paystack)
- SSRF on external integration adapters
Remediation
Findings tracked in GitHub Security tab. Critical/High fixed before next release train.
Safe claims
Do **not** market "pen tested" until report is complete. This document is internal readiness only.