Will you provide results of application and system vulnerability scans to the institution?
Explanation
Transparency around scanning is the issue: the institution wants to know whether you will share the results of your application and system vulnerability scans with them.
Vulnerability scans are automated tests that identify security weaknesses in software applications, operating systems, and network devices. These scans detect issues like missing security patches, insecure configurations, or known software flaws that could be exploited by attackers.
Why it's being asked:
- Transparency: The institution wants to understand the security posture of the systems they're entrusting with their data.
- Risk assessment: They need to evaluate whether your security vulnerabilities could put their data at risk.
- Compliance requirements: Many regulatory frameworks (like HIPAA, PCI DSS, etc.) require organizations to ensure their vendors maintain adequate security controls.
- Due diligence: The institution needs to demonstrate they've performed proper security oversight of their vendors.
How to best answer it:
- Be honest about your vulnerability scanning practices and sharing policies
- Explain what types of scan results you're willing to share (summary reports vs. detailed findings)
- Describe any limitations or conditions on sharing (e.g., requiring NDAs, redacting certain information)
- Mention the frequency of scans and reporting
- If you don't share scan results, explain your alternative methods for providing security assurances
Example Responses
Example Response 1
Yes, we will provide vulnerability scan results to the institution We conduct monthly automated vulnerability scans using Qualys on all production systems and quarterly penetration tests using a third-party security firm Upon request and with an executed NDA, we can provide summary reports of these scans showing vulnerability counts by severity level, remediation timelines, and attestation of remediation completion For critical or high vulnerabilities that might affect the institution's data, we will proactively notify the institution within 48 hours of discovery and provide regular updates until remediation is complete We can also accommodate requests for more detailed reports on a case-by-case basis.
Example Response 2
Yes, we provide vulnerability scan results through our customer security portal Our security team conducts weekly automated vulnerability scans using Nessus and quarterly manual penetration tests Authorized institution representatives can access our security portal at any time to view current and historical scan results, including detailed findings, CVSS scores, remediation status, and timelines The portal also includes our vulnerability management policy, which commits to remediating critical vulnerabilities within 15 days, high within 30 days, medium within 60 days, and low within 90 days We can also schedule quarterly security review meetings to discuss scan findings and remediation efforts if desired.
Example Response 3
No, we do not provide direct access to our vulnerability scan results As a multi-tenant SaaS provider serving hundreds of customers, we maintain a strict policy of not sharing internal security testing documentation with individual clients to protect our overall security posture However, we understand the need for security assurance and instead provide SOC 2 Type II reports annually, which include independent auditor attestation of our vulnerability management practices We also maintain ISO 27001 certification and can provide the Statement of Applicability showing our vulnerability management controls For specific security concerns, our CISO office can arrange executive-level security briefings to discuss our security program in general terms without revealing specific vulnerabilities that could create risk if disclosed.
Context
- Tab
- Infrastructure
- Category
- Vulnerability Management
Related questions
- Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?
- Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
- Have your systems and applications had a third-party security assessment completed in the last year?
- Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?
- Are your systems and applications regularly scanned externally for vulnerabilities?

