Sources of findings
- Vulnerability scans of public-facing production systems — at least quarterly.
- Penetration tests — at least annually, plus after major changes.
- Vendor advisories for software in use.
- Bug bounty — private bug bounty, by invitation only. Researchers seeking an invitation, or wishing to disclose a vulnerability outside the program, should email security@neuroscale.ai. Neuroscale will not pursue legal action against good-faith researchers who follow the disclosure expectations published on the Trust Center and the Report a Security Issue page.
- Internal review and red-team exercises.
- Reported findings — internal staff and external researchers submit findings via the Vulnerability intake form.
Tooling
| Concern | Tool |
|---|---|
| External vulnerability scanning | Detectify |
| Dependency / SCA | Dependabot, Snyk, and GitHub Advanced Security |
| Container scanning | Trivy |
| Cloud posture management | Vanta |
| Penetration testing | (todo: vendor) |
Triage
Findings are evaluated by Security and Engineering. Neuroscale’s assessed severity may differ from a tool’s auto-rating based on internal architecture and exploitability.Remediation SLAs
| Severity | Time to remediate |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 60 days |
| Low | 90 days |
| Informational | As needed |
Tracking
Active findings live in the Linear “Vulnerabilities” board. Status is reviewed weekly by Security and reported quarterly to leadership.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |