GoRefer Trust Center
Penetration Testing
Updated April 2026
GoRefer conducts independent penetration testing as part of our ongoing security assurance program. Tests are performed by qualified third-party security firms following established methodologies. Results are tracked to remediation and reports are available under NDA.
Testing Cadence
Updated April 2026
Annual Full Pentest
Full-scope web application and API penetration test
Conducted by an independent, third-party security firm
Performed annually, or after major architectural changes
Results include executive summary + technical findings + remediation guidance
Continuous Scanning
Automated vulnerability scanning on every deployment
Dependency vulnerability scanning (Snyk / Dependabot) in CI/CD
SAST (Static Application Security Testing) on all pull requests
Container image scanning for known CVEs
Feature-Level Testing
New high-risk features receive security review before release
AI/Gio prompt injection testing with each major model update
Payment flow security review on Stripe integration changes
OAuth / identity flow review on auth changes
Test Scope & Methodology
Updated April 2026
| Test Area | Scope | Methodology |
|---|---|---|
Web Application | Full GoRefer portal (frontend + API) | OWASP Top 10 + ASVS L2 |
Authentication & Session | Login, MFA, JWT, refresh token lifecycle | Manual + automated |
API Endpoints | All REST endpoints — authorization, injection, data exposure | Burp Suite + manual |
Access Control | RBAC enforcement, cross-tenant isolation, privilege escalation | Manual testing |
AI / Gio Features | Prompt injection, data leakage via AI responses | Manual + red team |
Infrastructure | AWS configuration, S3 bucket exposure, network segmentation | Cloud security review |
Remediation Process
Updated April 2026
All findings tracked to resolution
Critical and High findings are remediated within 72 hours of confirmation. Medium findings within 2 weeks. Low findings addressed in the next sprint. Every finding receives a re-test to confirm resolution before the engagement is closed.
Critical / High Priority
Immediate triage and incident response activation
72-hour remediation target
Executive notification if customer data is at risk
Re-test with pentest firm before clearing
Medium / Low Priority
Tracked in security backlog with owner and due date
Medium: 2 weeks; Low: next sprint
All findings documented in internal remediation register
Annual pentest re-tests previously-closed findings
Access Pentest Results
Updated April 2026
Enterprise customers and security-conscious prospects can request access to our most recent penetration test executive summary or detailed report under a mutual NDA. Request access through the Trust Portal and select "Penetration Test Report" from the document list.
Request Pentest Report (NDA Required)