VAPT Statement.

What VAPT means at Ophanix.

Vulnerability Assessment and Penetration Testing (VAPT) is a contractual gate at Ophanix — not a once-a-year audit theatre. Every release that touches production is preceded by an automated assessment, and every major release is preceded by a hands-on penetration test conducted by an independent assessor.

This page is the public summary of that programme. The full report — methodology, findings, remediation log — is shared under NDA with every enterprise customer during procurement, and updated on each quarterly review.

What is tested.

VAPT covers every component that customer data, customer models, or customer credentials touch:

• Application layer — web consoles, RoboChat surfaces, mobile clients, public-facing APIs (REST, GraphQL, streaming).
• Inference and data layer — model serving endpoints, vector stores, feature stores, transactional databases.
• Ingestion pipelines — social, broadcast, satellite tile, and partner data sources, including authentication chains and signed-URL handling.
• Operator surfaces — HITL consoles, takedown automation, escalation routing — including authorisation boundaries and audit-log integrity.
• Infrastructure — Kubernetes posture, IAM policies, KMS configuration, network segmentation, secrets management.
• Supply chain — dependency hygiene, build-system integrity (SLSA-aligned), container provenance, transitive vulnerabilities.

How often, and by whom.

• Continuous — SAST, DAST, dependency scanning, secret scanning, IaC linting run on every commit. Failing builds do not deploy.
• Weekly — authenticated black-box scans against the staging environment by the internal security team.
• Per release — targeted manual review and abuse-case testing on changed surfaces before promotion.
• Quarterly — external penetration test by an independent CREST-aligned assessor against the customer-tenant deployment pattern.
• Pre-go-live— full-scope VAPT against the specific customer deployment, with the customer's security team invited to observe. Zero critical findings is a contractual gate.

What happens when something is found.

Findings are classified by CVSS and contextual exploitability, and routed under the following SLAs:

• Critical — remediation or compensating control deployed within 48 hours. Customer security teams notified within 24 hours of confirmation if their tenant is exposed.
• High — remediation within 7 days. Documented in next release notes.
• Medium — remediation within the current quarter.
• Low / informational — tracked, prioritised against engineering capacity, addressed in routine hardening sprints.

Every finding has a named owner. Every remediation is reviewed by a second engineer before close-out. Every closed finding includes a regression test.

If you find something, talk to us.

We run a public coordinated-disclosure programme. Researchers who report in good faith are welcomed, recognised, and — for findings that meet the criteria — paid.

Bounties

• Remote code execution — up to €25,000.
• Authentication / authorisation bypass — up to €15,000.
• Sensitive data exposure — up to €10,000.
• Cross-tenant disclosure — up to €20,000 (we take this category extremely seriously).

Safe-harbour

We will not pursue legal action against researchers acting in good faith under our programme. Scope, exclusions, and the full programme policy are in the response email you receive on first contact.

What customers receive.

• Pre-go-live VAPT report, redacted only of test credentials.
• Quarterly summary of new findings, remediation status, and posture trend.
• Incident notification within 24 hours of any tenant-affecting confirmed finding.
• Annual independent attestation suitable for the customer's own audit and supervisor.
• Right to commission an additional independent test, at the customer's cost, against their tenant — with reasonable notice and coordination.