Implements the vulnerability-management requirements of the Operations Security Policy.

Sources of findings

  • Vulnerability scans of public-facing production systems — at least quarterly.
  • Penetration tests — at least annually, plus after major changes.
  • Vendor advisories for software in use.
  • Bug bounty (planned) — Neuroscale intends to operate a private, invitation-only bug bounty. In the interim it operates coordinated vulnerability disclosure: researchers wishing to disclose a vulnerability, or to request an invitation once the program opens, should email security@neuroscale.ai. Neuroscale will not pursue legal action against good-faith researchers who follow the disclosure expectations published on the Trust Center and the Report a Security Issue page.
  • Internal review and red-team exercises.
  • Reported findings — internal staff and external researchers submit findings via the Vulnerability intake form.

Tooling

ConcernTool
Static analysis (SAST)Semgrep and GitHub Advanced Security (CodeQL)
Secret scanningGitleaks
Dependency / SCASnyk and GitHub Dependency Review
Container scanningTrivy
Dynamic analysis (DAST) / external scanOWASP ZAP (public app & API, quarterly)
Cloud posture managementVanta
Penetration testingHorizon3 (annual)

Triage

Findings are evaluated by Security and Engineering. Neuroscale’s assessed severity may differ from a tool’s auto-rating based on internal architecture and exploitability.

Remediation SLAs

SeverityTime to remediate
Critical7 days
High30 days
Medium60 days
Low90 days
InformationalAs needed
Security-issue tickets — the security-tagged P0–P3 issues tracked in the Linear “Vulnerabilities” board and monitored by Vanta — follow these same remediation SLAs, mapped by priority: P0 = 7 days (Critical), P1 = 30 days (High), P2 = 60 days (Medium), P3+ = 90 days (Low). Tickets that cannot be remediated within the standard timeline must include a risk-treatment plan and planned remediation timeline approved by the CISO.

Tracking

Active findings live in the Linear “Vulnerabilities” board. Status is reviewed weekly by Security and reported quarterly to leadership.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 8, 2026Initial versionCameron WolfeIshan Jadhwani
1.1June 14, 2026Documented security-issue ticket (P0–P3) remediation SLAs, mapped to the Critical/High/Medium/Low tiers, to align policy with the Vanta security-ticket SLA configuration.Cameron WolfeIshan Jadhwani