Contracting & Compliance
      Back to home
      1. Help Center
      2. Veonics® Portal Users Manual
      3. Contracting & Compliance

      Vulnerability Management, Assessments & Penetration Testing

      This document outlines eXpress badging®’s Vulnerability Management (VM) and Penetration Testing (VAPT) programs,

      🛡️ This article ensures the Veonics® Portal and supporting infrastructure are continuously assessed, remediated, and validated for security risks.

      It is structured to address common audit and questionnaire requirements.

      🔄 Vulnerability Management (VM)


      Vulnerability Management (VM) is the ongoing process of identifying, evaluating, prioritizing, and remediating security weaknesses across an organization’s technology environment. It involves regular scanning of servers, applications, devices, and networked equipment to detect known vulnerabilities, misconfigurations, or outdated software that could be exploited by attackers.

      Are system vulnerabilities assessed regularly?
      ✔ Yes. eXpress badging® uses Fortra VM to perform quarterly vulnerability scans across servers, endpoints, and network devices.

      How are vulnerabilities tracked and remediated?

      • Findings are logged and prioritized by severity.

      • Critical/High items: remediated immediately.

      • Medium/Low: tracked through Jira with defined due dates.

      • Verification: rescanning confirms closure before the ticket is closed.

      Is there a process for oversight?

      • The Technical Operations Department owns VM.

      • Results are reviewed quarterly in EOS Scorecards.

      • Trends are reported to executives for risk acceptance when needed.

      📄 Supporting Docs:

      🧪 Penetration Testing (VAPT)

      Do you perform penetration testing on Internet-facing systems?
      ✔ Yes. Annual penetration tests are performed against the Veonics® Portal, APIs, and AWS environment.

      What is the scope of testing?

      • Web application authentication & authorization.

      • Input validation and OWASP Top 10 vectors.

      • Network perimeter and cloud configuration.

      Can customers see the results?

      • No direct release of reports as a standard operational request.

      • Enterprise customers under NDA may request a redacted proof-of-scan report.

      • Typical turnaround: up to 30 days.

      📄 Supporting Docs:

      🛠️ Remediation & Reporting


      Our remediation program aligns with industry-recognized standards, including the NIST Cybersecurity Framework (CSF 2.0) and ISO/IEC 27001 controls, ensuring that risks are identified, prioritized, and addressed in a structured, standards-driven manner. This approach provides our customers with confidence that their data is protected under a governance model that meets modern compliance expectations.

      How are identified issues remediated?

      1. Vulnerabilities identified via VM scan or pen test.

      2. Severity triaged using CVSS scoring.

      3. Assigned to responsible owner (IT or Dev partner).

      4. Fixes applied, tracked, and documented in Jira.

      5. Verification via rescanning or targeted retesting.

      6. Executive review for risk acceptance when remediation is not feasible.

      7. Examples of remediation fixes include:

        • Disabling outdated protocols (TLS 1.0/1.1, SMBv1).

        • Replacing expired or weak SSL/TLS certificates.

        • Updating firmware on network devices and printers.

        • Enforcing stronger authentication and encryption settings.

      How do customers receive updates?

      • Enterprise customers may receive upon request:

        • Summary remediation statements.

        • Redacted scan/pen test reports (under NDA).

        • Confirmation of closure when applicable.

      🛡️Our Commitment

      • No customer data has ever been breached in our history.

      • We follow best practices from NIST Cybersecurity Framework (CSF 2.0) and vendor hardening guides to keep it that way.

      • If/when it happens, we will follow our breach process until completion.

      📊 Compliance Alignment

      Requirement Our Program Alignment
      NIST CSF 2.0 ID.RA (Risk Assessment), DE.CM (Monitoring), RS.MI (Mitigation), RC.IM (Improvement)
      ISO 27001 A.12.6 (Vulnerability Management), A.14.2 (Development & Support Security)
      OWASP Testing aligned to OWASP Top 10 vulnerabilities
      Audit Evidence NDA-required redacted reports + remediation logs

      ✅ Summary

      • Quarterly Fortra VM scans + annual pen tests ensure continuous visibility.

      • Issues are triaged, remediated, and verified through documented processes.

      • Customers can request proof of testing with proper agreements.

      • Program is aligned to NIST, ISO, and OWASP guidance.

      🔗 Related Articles: