VULN-03

Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?

Explanation

This question is asking whether your organization will permit the institution (the customer) to conduct their own vulnerability testing or scanning against your systems or applications. Vulnerability testing involves systematically checking systems for security weaknesses that could be exploited by attackers. This can include automated scanning tools that check for known vulnerabilities, misconfigurations, or outdated software, as well as more intensive penetration testing where security professionals attempt to exploit vulnerabilities. The question is being asked because: 1. The institution wants to verify your security posture independently rather than just taking your word for it 2. They may have specific compliance requirements that mandate independent verification 3. They want to ensure that vulnerabilities that might specifically impact their data or use case are identified 4. They may have their own security standards that they need to verify are being met The question specifically mentions 'mutually agreed upon time and date' because vulnerability testing can impact system performance or availability, so it needs to be coordinated to minimize disruption. When answering this question, you should consider: - Your organization's policies regarding external security testing - Any regulatory or contractual restrictions that might apply - How you would coordinate such testing to minimize business impact - Whether you have any limitations on the scope or methods of testing allowed Being open to customer-led security testing demonstrates transparency and confidence in your security controls, but you should also ensure proper safeguards are in place to protect your infrastructure and other customers.

Example Responses

Example Response 1

Yes, we allow customers to perform vulnerability testing and scanning of our systems and applications We require at least 14 days advance notice to schedule the testing during off-peak hours (typically weekends or between 10 PM and 4 AM ET) We ask customers to provide the IP addresses that will be used for scanning, the scope of systems to be tested, and the testing methodology We'll provide a testing agreement that outlines permitted activities and restrictions (e.g., no DoS testing) We can also provide a dedicated test environment that mirrors our production environment if testing in production is not feasible After testing, we request a copy of the findings to incorporate into our vulnerability management process.

Example Response 2

Yes, our organization permits institutional customers to conduct vulnerability assessments against our platform with certain parameters We require a minimum of 30 days' notice and limit testing windows to our scheduled maintenance periods (first Sunday of each month, 1 AM to 5 AM PT) Testing must be limited to non-disruptive methods (authenticated scanning only, no exploitation attempts or DoS testing) The institution must sign our security testing agreement and provide detailed testing plans including tools to be used, testing methodology, and scope We assign a security engineer to monitor the testing and can provide a sandbox environment that replicates our production configuration for more invasive testing approaches.

Example Response 3

No, we do not currently allow customers to perform their own vulnerability testing or scanning against our production systems This restriction exists because we operate a multi-tenant environment where testing by one customer could potentially impact service availability for others Instead, we engage independent third-party security firms to conduct quarterly vulnerability assessments and annual penetration tests, and we can provide summary reports of these assessments upon request under NDA We also maintain SOC 2 Type II certification and can provide our attestation report which includes details about our vulnerability management program If this is a strict requirement for your institution, we could discuss the possibility of providing access to a dedicated test instance that mirrors our production environment.

Context

Tab
Infrastructure
Category
Vulnerability Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron