Penetration testing policy
Cadencia anual + post-cambio mayor · scope OWASP Top 10 + API + infra · vendor externo certificado (OSCP/CREST/CEH) · disclosure responsable · re-test obligatorio · findings públicos resumidos. Política pública para transparencia + procurement Enterprise.
Scope · 6 áreas
| Área | Coverage | Frecuencia |
|---|---|---|
| Web application · landing + admin | OWASP Top 10 2021 · authn/authz · injection · XSS · CSRF · IDOR · SSRF · business logic flaws | Anual + post-cambio mayor (refactor 30%+ código admin · nueva feature high-risk) |
| WhatsApp webhook · process-message pipeline | Webhook signature validation · idempotency · rate limiting · prompt injection · output guardrails bypass attempts | Anual + post-cambio process-message.ts |
| API endpoints públicos | Authentication bypass · rate limit bypass · enumeration · IDOR · mass assignment · CORS misconfiguration | Anual |
| Infrastructure · Cloudflare + Supabase + Upstash | Config review (Cloudflare WAF rules · Supabase RLS policies · Upstash auth tokens) · secret leakage scan | Semestral (Q2/Q4) |
| Mobile · NO actual (futuro) | Cuando app patient/clinic admin móvil ship · OWASP MASVS L1+L2 | Pre-launch + anual |
| Social engineering · NO actual | Phishing campaign founder/staff · vishing pretexting · physical access (oficina N/A) | Cuando team ≥5 personas · planned post-tracción primeros 5 clientes |
Vendor criteria · 6 requisitos
Timeline standardized · 8 hitos
Independiente del vendor seleccionado · todo pen test sigue mismo flow para predictibilidad + comparison year-over-year metrics.
- M-30d · Scoping call vendor · define scope written · environment access · accounts test · contract + SOW + DPA signed
- M0 · Kickoff · vendor begins testing · daily sync calls · slack channel dedicated · monitoring our side (no obstrucción)
- M+7-14d · Active testing concluido · vendor preparing report · findings categorized CVSS Critical/High/Medium/Low
- M+21d · Draft report delivered · client review (founder + technical advisor) · clarification calls · evidence verification
- M+30d · Final report · CRITICAL fixes immediate (≤48h) · HIGH fixes ≤1 week · MEDIUM ≤30d · LOW ≤90d
- M+60d · Retesting CRITICAL + HIGH fixes · vendor verification fix correctly applied · re-test certification issued
- M+90d · Public summary published · `/security` page updated · /trust page metrics updated · post-mortem internal
- M+365d · Next annual pen test scheduled · scope updated based on infra changes año · vendor evaluation (same vs rotate)
Findings history · transparente
| Fecha | Scope | Critical/High | Medium/Low | Vendor | Remediation |
|---|---|---|---|---|---|
| 2026-04-10 | Web app + API · 18 endpoints | 0 Critical · 1 High | 3 Medium · 5 Low | Internal automated only (Snyk · OWASP ZAP · npm audit) | 100% findings remediated 30d · public summary `/security` |
| 2026-02-15 | Infrastructure review · Cloudflare + Supabase + Upstash | 0 Critical · 0 High | 2 Medium · 4 Low | Internal review founder + ChatGPT auditor | All remediated 14d · Cloudflare WAF rules tightened · Supabase RLS audit passed |
| TBD post-CIF Q3 2026 | Full external pen test | Planned | Planned | External certified vendor (TBD · scope: web + API + WhatsApp pipeline) | Budget allocated post-tracción primeros 5 clientes pagando |
External pen test full <6 meses NO realizado todavía. Razón: pre-revenue · budget allocated post-CIF + primeros 5 clientes pagando (Q3 2026 estimated). Mitigation actual: automated tooling continuo (Snyk · OWASP ZAP · npm audit · Sentry) + internal review (founder + ChatGPT auditor adversarial bundle weekly).
Esta transparencia es deliberada: muchos competidores afirman SOC2/ISO sin pen tests externos reales. Nuestra política pública compromete external pen test pre-procurement Enterprise · NO cuando alguien pregunta.
¿Tu security team necesita pen test reports?
Cuando first external pen test esté completado (Q3 2026 planned) · executive summary + redacted technical report disponibles bajo NDA Enterprise. Útil security review pre-procurement.