ZenoXCare — marketing
Loading VAPT findings tracker…
Pre-baseline · Engagement scheduled
Every external pentest, bug bounty, and internal red-team finding lands in a typed, append-only registry. Severity → remediation SLA is fixed and audit-defensible. The CI build fails when a finding sits past its SLA without a documented compensating control or risk acceptance.
Total findings
0
In SLA breach
0
Critical open
0
Engagement status
PLANNED
Severity → remediation SLA
The SLA is encoded in VAPT_REMEDIATION_SLA_DAYS in lib/compliance/vapt-tracker.ts. Changing it requires a PR and a CISO sign-off.
| Severity | Remediation SLA (calendar days) | Open findings today | Build-time enforcement |
|---|---|---|---|
| Critical | 7 days | 0 | CI fails if status is OPEN/IN_REMEDIATION beyond the SLA without ACCEPTED_RISK. |
| High | 30 days | 0 | CI fails if status is OPEN/IN_REMEDIATION beyond the SLA without ACCEPTED_RISK. |
| Medium | 60 days | 0 | CI fails if status is OPEN/IN_REMEDIATION beyond the SLA without ACCEPTED_RISK. |
| Low | 90 days | 0 | CI fails if status is OPEN/IN_REMEDIATION beyond the SLA without ACCEPTED_RISK. |
| Informational | Tracked, not enforced | 0 | INFO findings are recorded for trend analysis only. |
Lifecycle
Status transitions are validated by assertFindingWellFormed; terminal states require evidence on file.
Step 1
OPEN
Finding accepted into the tracker; severity assigned; SLA clock starts.
Step 2
IN_REMEDIATION
Owner has scoped the fix; PR or change ticket linked; remediation under way.
Step 3
RESOLVED
Fix shipped to production; awaiting independent verification.
Step 4
VERIFIED
Assessor has retested and confirmed the fix; finding closed.
Risk acceptance — terminal but governed
ACCEPTED_RISK is a separate terminal state requiring documented justification and governance sign-off (CISO, CEO, or Board Security Committee). It is never used to side-step a remediation that is technically feasible.
Live registry
No findings recorded yet.
The platform has not yet undergone a baseline VAPT engagement (see baseline VAPT certification record). When findings land, they appear here automatically — same page, same component, same SLA discipline.
Researchers and partners can submit findings via our coordinated disclosure path. We acknowledge within 72 hours, triage within 5 business days, and publish a redacted entry on this page once the fix is verified.