Penetration Testing & Vulnerability Scanning

MazeVault Security Assessment Methodology, Vulnerability Management, and Current Status

Document Version: 1.1.0
Last Updated: 2026-04-03

---

1. Security Assessment Program

MazeVault maintains a comprehensive security assessment program combining automated scanning, manual testing, and continuous monitoring to identify and remediate vulnerabilities proactively.

Assessment Type	Frequency	Scope
Dependency Vulnerability Scanning	Continuous (per build)	Go modules (govulncheck), npm packages (npm audit)
Container Image Scanning	Per build	Docker images (Trivy v0.28.0, pinned)
Static Application Security Testing (SAST)	Per code change	Application source code
Dynamic Application Security Testing (DAST)	Monthly	Running application endpoints (OWASP ZAP)
Manual Penetration Testing	Annual	Full platform

2. Testing Scope

In Scope

Component	Test Categories
API Server	Authentication bypass, authorization escalation, injection, business logic
Web Interface	XSS, CSRF, clickjacking, session management, client-side security
OCSP Responder	Protocol compliance, denial of service, response manipulation
Database Layer	SQL injection, access control, encryption validation
Network Layer	TLS configuration, certificate validation, protocol security
Agent Communication	mTLS validation, bootstrap flow, key exchange
Dependencies	Known CVEs in Go modules, npm packages, Docker base images

Out of Scope

• Physical security of customer infrastructure
• Third-party cloud provider infrastructure (Azure, AWS)
• Customer network configuration
• Social engineering

3. Vulnerability Classification

MazeVault uses CVSS v3.1 for vulnerability scoring:

Severity	CVSS Score	Response SLA	Description
Critical	9.0–10.0	48 hours	Remote code execution, authentication bypass, data breach
High	7.0–8.9	7 days	Privilege escalation, significant data exposure
Medium	4.0–6.9	30 days	Limited information disclosure, denial of service
Low	0.1–3.9	90 days	Minor information leakage, defense-in-depth improvements
Informational	0.0	Best effort	Hardening recommendations

4. Current Vulnerability Status

Q1 2026 Comprehensive Dependency Scan (April 2026)

Scan Tools: govulncheck (Go call-graph analysis), npm audit (Node.js), go mod verify (integrity)
Scope: 7 Go modules (~340 transitive dependencies), 2 npm packages (~800 transitive dependencies), 5 Docker images

Severity	Found	Remediated	Remaining
Critical	2	2	0
High	6	6	0
Medium	10	10	0
Low	6	0	6
Total	24	18	6

Critical Vulnerabilities Remediated

ID	Component	Description	Resolution
GO-2026-4753	Backend (SAML SSO)	XML signature bypass allowing authentication forgery	Updated goxmldsig v1.3.0 → v1.6.0
GO-2024-2687	K8s Operator	HTTP/2 CONTINUATION flood denial-of-service	Updated golang.org/x/net v0.19.0 → v0.52.0

High Severity Vulnerabilities Remediated

ID	Component	Description	Resolution
GO-2026-4762	Backend, Terraform Provider	gRPC authorization bypass	Updated google.golang.org/grpc → v1.80.0
GO-2025-3485	Backend	JOSE parsing denial-of-service	Updated go-jose/v3 v3.0.0 → v3.0.4
GO-2024-2631	Backend	JOSE decompression bomb	Updated go-jose/v3 v3.0.0 → v3.0.4
GO-2023-2334	Backend	PBES2 JWE denial-of-service	Updated go-jose/v3 v3.0.0 → v3.0.4
GO-2025-3595	K8s Operator	XSS via incorrect neutralization in x/net	Updated golang.org/x/net → v0.52.0
GHSA-848j	Node SDK	Handlebars.js JavaScript injection (8 advisories)	Updated via npm audit fix

Component Status

Component	Go Modules	npm Packages	Status
Backend API	✅ 0 vulns	—	Clean
Agent	✅ 0 vulns	—	Clean
OCSP Responder	✅ 0 vulns	—	Clean
CLI	✅ 0 vulns	—	Clean
K8s Operator	✅ 0 vulns	—	Clean
Terraform Provider	✅ 0 vulns	—	Clean
Go SDK	✅ 0 vulns	—	Clean
Frontend	—	6 low	6 low-severity build-time dev dependencies only
Node SDK	—	✅ 0 vulns	Clean

Remaining Low-Severity Items

The 6 remaining low-severity vulnerabilities are in the frontend's elliptic transitive dependency chain (vite-plugin-node-polyfills → node-stdlib-browser → crypto-browserify → elliptic). These are build-time development dependencies only and do not ship in the production frontend bundle. The runtime application uses @noble/ciphers and @noble/hashes for cryptographic operations.

Q4 2025 Penetration Test

Assessment Type: Full manual penetration test + automated scanning

Severity	Findings	Remediated	Open
Critical	0	0	0
High	0	0	0
Medium	2	2	0
Low	4	3	1
Informational	6	4	2
Total	12	9	3

Key Findings and Remediations

#	Severity	Category	Status
1	Medium	TLS cipher suite ordering optimization	✅ Remediated
2	Medium	Rate limiting improvement for authentication endpoints	✅ Remediated
3	Low	Additional security headers (Permissions-Policy)	✅ Remediated
4	Low	Cookie SameSite attribute strengthening	✅ Remediated
5	Low	Verbose error messages in non-production modes	✅ Remediated
6	Low	HSTS preload submission recommendation	⏳ Planned
7	Info	CSP report-uri directive recommendation	⏳ Planned
8	Info	Additional certificate transparency logging	⏳ Planned

Areas Tested with No Findings

• ✅ SQL Injection — Parameterized queries throughout
• ✅ Cross-Site Scripting (XSS) — CSP + output encoding
• ✅ Authentication Bypass — SRP protocol properly implemented
• ✅ Authorization Escalation — RBAC enforced at service layer
• ✅ Cryptographic Weaknesses — AES-256-GCM properly implemented
• ✅ Certificate Validation — Proper chain verification
• ✅ Secret Data Exposure — Encryption at rest verified

5. Continuous Security Monitoring

Automated Scanning Tools

Tool	Purpose	Frequency
Trivy (v0.28.0, pinned)	Container image and filesystem CVE scanning	Per build, all CI events
govulncheck	Go dependency vulnerability checking with call-graph analysis	Per build
npm audit	Frontend and SDK dependency vulnerability checking	Per build
OWASP ZAP	Dynamic application scanning	Monthly

Security Metrics

Metric	Target	Current
Mean Time to Remediate (Critical)	< 48 hours	< 24 hours
Mean Time to Remediate (High)	< 7 days	< 24 hours
Dependency vulnerabilities (Critical/High)	0	0
Container image vulnerabilities (Critical)	0	0
Go modules fully clean	7/7	7/7 ✅

CI/CD Security Pipeline

Security scanning is integrated into the CI/CD pipeline and runs on every event (push, pull request, manual dispatch):

1. Source code scanning — Trivy filesystem scan for known CVEs
2. Go vulnerability analysis — govulncheck with call-graph analysis (fewer false positives than pattern matching)
3. npm dependency audit — npm audit for frontend and SDK packages
4. Container image scanning — Trivy image scan after Docker build
5. SARIF upload — Results uploaded to GitHub Security tab for tracking

Related

• Security Overview — Security architecture
• Compliance Matrix — Regulatory alignment
• Encryption — Cryptographic implementation details