Skip to main content
Trust & Security

Penetration TestingSummary

Independent testers assess our stack annually. We remove client data before testing so no sensitive records are ever exposed during engagements.

Key Features:

🛡️
Zero live client data in test scope
⏱️
Remediation within 24 hours for priority findings
📄
Full report shared under NDA
Request latest reportEmail notifications@remova.org

Secure Service

Professional data protection solutions

24/7
Support
99%
Uptime
Pro
Grade
Latest engagement: 30 Sep – 11 Oct 2025

Scope & Methodology

Conducted by a CREST-certified partner covering Buffsend infrastructure, customer dashboard, takedown evidence vault, and internal automation services. Testing combined gray-box application testing, API fuzzing, cloud configuration review, and social engineering resistance checks.

What Testers Did

  • • Authenticated application testing across admin and customer roles
  • • API abuse attempts including rate-limit bypass and privilege escalation
  • • Cloud security review (GCP) focusing on IAM, network segmentation, and logging
  • • Phishing resilience test for target group of 5 operations analysts

Data Handling Approach

  • • No live client manifests or takedown packets accessible during testing
  • • Synthetic datasets generated with anonymized structures
  • • All test accounts instrumented with just-in-time provisioning and audit logging
  • • Report artifacts stored in evidence room with encryption at rest
Severity: High

OAuth Redirect Hardening

Third-party testers identified that a legacy OAuth redirect endpoint accepted wildcard subdomains. No exploitation occurred, but we tightened allowed return URIs and added signed nonce validation within 24 hours.

Remediation: Production fix deployed within the test window, validated by retest on 10 Oct 2025.

Severity: Medium

Admin Session Timeout

Admin console session timeout was configured to 12 hours. Testers recommended aligning with our 30-minute policy. Updated configuration and forced re-authentication.

Remediation: Timeout reduced to 30 minutes. Adjustment documented in access control policy rev. 8/2025.

Severity: Informational

TLS Cipher Suite Inventory

Report recommended pruning unused legacy cipher suites from CDN configuration. No impact on security posture but implemented for hygiene.

Remediation: Cipher suites removed and automated monitoring added via SecurityHeaders.io.

Next Steps

We schedule our next full-scope test for April 2026 and run quarterly internal offensive exercises. Clients can observe remediation tasks through shared ticket dashboards.

Quarterly Purple Team

Internal detection and response simulations to rehearse platform takedown escalations.

Shared Fix Tracking

Clients receive read access to remediation tickets inside our security workspace.

Regulator Briefings

Summaries available for regulator or partner security reviews under NDA.