Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
Explanation
Customer-led testing is what's being asked about: whether you will let the institution run its own vulnerability scans against your systems at a mutually agreed time.
Vulnerability testing involves systematically checking systems for security weaknesses that could be exploited by attackers. This can include automated scanning tools that check for known vulnerabilities, misconfigurations, or outdated software, as well as more intensive penetration testing where security professionals attempt to exploit vulnerabilities.
The question is being asked because:
- The institution wants to verify your security posture independently rather than just taking your word for it
- They may have specific compliance requirements that mandate independent verification
- They want to ensure that vulnerabilities that might specifically impact their data or use case are identified
- They may have their own security standards that they need to verify are being met
The question specifically mentions 'mutually agreed upon time and date' because vulnerability testing can impact system performance or availability, so it needs to be coordinated to minimize disruption.
When answering this question, you should consider:
- Your organization's policies regarding external security testing
- Any regulatory or contractual restrictions that might apply
- How you would coordinate such testing to minimize business impact
- Whether you have any limitations on the scope or methods of testing allowed
Being open to customer-led security testing demonstrates transparency and confidence in your security controls, but you should also ensure proper safeguards are in place to protect your infrastructure and other customers.
Example Responses
Example Response 1
Yes, we allow customers to perform vulnerability testing and scanning of our systems and applications We require at least 14 days advance notice to schedule the testing during off-peak hours (typically weekends or between 10 PM and 4 AM ET) We ask customers to provide the IP addresses that will be used for scanning, the scope of systems to be tested, and the testing methodology We'll provide a testing agreement that outlines permitted activities and restrictions (e.g., no DoS testing) We can also provide a dedicated test environment that mirrors our production environment if testing in production is not feasible After testing, we request a copy of the findings to incorporate into our vulnerability management process.
Example Response 2
Yes, our organization permits institutional customers to conduct vulnerability assessments against our platform with certain parameters We require a minimum of 30 days' notice and limit testing windows to our scheduled maintenance periods (first Sunday of each month, 1 AM to 5 AM PT) Testing must be limited to non-disruptive methods (authenticated scanning only, no exploitation attempts or DoS testing) The institution must sign our security testing agreement and provide detailed testing plans including tools to be used, testing methodology, and scope We assign a security engineer to monitor the testing and can provide a sandbox environment that replicates our production configuration for more invasive testing approaches.
Example Response 3
No, we do not currently allow customers to perform their own vulnerability testing or scanning against our production systems This restriction exists because we operate a multi-tenant environment where testing by one customer could potentially impact service availability for others Instead, we engage independent third-party security firms to conduct quarterly vulnerability assessments and annual penetration tests, and we can provide summary reports of these assessments upon request under NDA We also maintain SOC 2 Type II certification and can provide our attestation report which includes details about our vulnerability management program If this is a strict requirement for your institution, we could discuss the possibility of providing access to a dedicated test instance that mirrors our production environment.
Context
- Tab
- Infrastructure
- Category
- Vulnerability Management
Related questions
- Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?
- Will you provide results of application and system vulnerability scans to the institution?
- Have your systems and applications had a third-party security assessment completed in the last year?
- Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?
- Are your systems and applications regularly scanned externally for vulnerabilities?

