Penetration testing

Written by Aashiq, Founder, AskVault · Reviewed by Aashiq

Last updated: May 15, 2026 · 3 min read

TL;DR

Annual third-party penetration testing by accredited security firm. Findings remediated within 30 days. Quarterly internal red-team. Summary report available under NDA for Enterprise prospects. Continuous bug bounty for high-impact findings.

Annual third-party pen test

Scope:

• External attack surface. Public APIs, widget, hosted page.
• Authentication and authorization. Account, workspace, API keys.
• Multi-tenant isolation. Cross-workspace data leakage attempts.
• Webhook signature handling.
• OAuth integration flows.
• Prompt injection for AI surfaces.

Duration: 2 to 3 weeks per cycle.

What the report includes

• Executive summary.
• Findings classified as Critical, High, Medium, Low.
• Remediation timeline per finding.
• Re-test confirmation.

Severity rubric

• Critical. Active exploit possible; remediated within 24 hours.
• High. Significant risk; remediated within 7 days.
• Medium. Moderate; remediated within 30 days.
• Low. Best-practice gap; remediated in next release cycle.

Recent results

Last test cycle:

• 0 Critical findings.
• Most findings were Low or best-practice recommendations.
• All remediated within the SLA.
• Re-test confirmed.

Quarterly internal red-team

In addition to annual external:

• Internal team runs adversarial testing each quarter.
• Focus areas rotated (each quarter different surface).
• Findings logged in our security tracker.
• Remediated same or following sprint.

Bug bounty

For external researchers:

• Open program at security@askvault.co.
• Payouts: $100 to $5,000 depending on severity.
• Scope: production askvault.co and api.askvault.co.
• Out-of-scope: social engineering, physical attacks, DOS, third-party dependencies.

Responsible disclosure required; no public exploit before fix.

How to access reports

For Enterprise prospects and customers:

1. Email security@askvault.co.
2. Sign NDA.
3. Receive executive summary within 5 business days.

For paying customers, full reports available under your DPA.

What we don't publish

For security:

• Specific vulnerabilities found. Not disclosed publicly.
• Internal tooling details.
• Specific firms used (under NDA with them).

Auditor selection

We use:

• Accredited firms (PCI/SOC 2 / OSCP credentials).
• Different firms across years for fresh perspectives.
• Specialized AI-safety firms for prompt-injection-specific testing.

About 4 to 5 firms in our rotation.

Limits

• Reports are point-in-time. Snapshot of test date.
• Continuous improvement. Between tests, we ship security improvements regularly.
• NDA-gated. Detailed reports under agreement.

Common pitfalls

Treating pen test report as "we're 100% secure". It's a snapshot. New vulnerabilities emerge.

Demanding zero-finding report. Unrealistic. Honest reports show findings being managed.

Requesting source code review. Different exercise. Available under NDA on Enterprise.

FAQ

Can I run my own pen test against AskVault?

Yes with prior written authorization. Email security@askvault.co.

Do you publish CVEs?

For customer-impacting vulnerabilities, yes via changelog and incident-response disclosure.

How often do you test?

Annual external; quarterly internal; continuous bug bounty.

Related guides

• Security overview
• Incident response
• SOC 2 posture
• Data handling

Talk to our compliance team

We can sign DPA, support BAA, and configure SSO for Enterprise contracts.

Talk to sales → View pricing

Was this page helpful? Yes No