Sources of findings
- Vulnerability scans of public-facing production systems — at least quarterly.
- Penetration tests — at least annually, plus after major changes.
- Vendor advisories for software in use.
- Bug bounty (planned) — Neuroscale intends to operate a private, invitation-only bug bounty. In the interim it operates coordinated vulnerability disclosure: researchers wishing to disclose a vulnerability, or to request an invitation once the program opens, should email security@neuroscale.ai. Neuroscale will not pursue legal action against good-faith researchers who follow the disclosure expectations published on the Trust Center and the Report a Security Issue page.
- Internal review and red-team exercises.
- Reported findings — internal staff and external researchers submit findings via the Vulnerability intake form.
Tooling
| Concern | Tool |
|---|---|
| Static analysis (SAST) | Semgrep and GitHub Advanced Security (CodeQL) |
| Secret scanning | Gitleaks |
| Dependency / SCA | Snyk and GitHub Dependency Review |
| Container scanning | Trivy |
| Dynamic analysis (DAST) / external scan | OWASP ZAP (public app & API, quarterly) |
| Cloud posture management | Vanta |
| Penetration testing | Horizon3 (annual) |
Triage
Findings are evaluated by Security and Engineering. Neuroscale’s assessed severity may differ from a tool’s auto-rating based on internal architecture and exploitability.Remediation SLAs
| Severity | Time to remediate |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 60 days |
| Low | 90 days |
| Informational | As needed |
security-tagged P0–P3 issues tracked in the Linear “Vulnerabilities” board and monitored by Vanta — follow these same remediation SLAs, mapped by priority: P0 = 7 days (Critical), P1 = 30 days (High), P2 = 60 days (Medium), P3+ = 90 days (Low).
Tickets that cannot be remediated within the standard timeline must include a risk-treatment plan and planned remediation timeline approved by the CISO.
Tracking
Active findings live in the Linear “Vulnerabilities” board. Status is reviewed weekly by Security and reported quarterly to leadership.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |
| 1.1 | June 14, 2026 | Documented security-issue ticket (P0–P3) remediation SLAs, mapped to the Critical/High/Medium/Low tiers, to align policy with the Vanta security-ticket SLA configuration. | Cameron Wolfe | Ishan Jadhwani |