External penetration testing

We engage an independent security firm for periodic application and API penetration testing. The current cycle: scheduled for [DATE]. After each engagement we: (1) triage findings, (2) remediate per our vulnerability SLAs (Critical 7d, High 30d, Medium 60d, Low 90d), and (3) publish a one-page attestation summarizing scope and overall results.

We also run CI checks (dependency and static analysis) and maintain a responsible disclosure channel (see /security/disclosure).

To request the latest attestation, email security@canoma.app from a company domain. We’ll share a summary and can review technical details under NDA if required.