Security audit roadmap
Trust is verified, not asserted. This page documents HIBR's path to SOC 2 Type 2 and ISO 27001 certification, our independent penetration testing cadence, our public vulnerability disclosure policy, and how customers and researchers can verify our claims at every step.
1. Certification roadmap
HIBR is pre-launch. The product goes live in October 2026. Certifications are time-bound deliverables — they require an operational period of evidence before an accredited auditor will issue a report. The timeline below shows our committed audit calendar.
Q1 2026
Internal compliance framework drafted
Information Security Policy, Access Control Policy, Incident Response Plan, Vendor Management Policy, Data Classification Standard all drafted and approved by founder + designated CISO.
Q2 2026
Security tooling baseline
AWS GuardDuty, AWS Security Hub, AWS Config enabled. Sentry error tracking with PII scrubbing. Centralized log management. Encryption at rest + in transit enforced. Audit log immutability tested.
Q3 2026
External penetration test — pre-launch
Independent third-party pen-test on the full application stack before production launch. Engagement runs 3 weeks; findings fixed before launch; summary published.
Q4 2026 (Oct)
Production launch
Compliance framework operating from day 1. Quarterly internal audit cycle begins. SOC 2 evidence collection live.
Q1 2027
SOC 2 Type 1 — kickoff
Engagement signed with accredited SOC 2 auditor. Readiness assessment + remediation. Target: report issued before end of Q2 2027.
Q2 2027
SOC 2 Type 1 — report published
Type 1 audits design of controls at a point in time. Report available to prospects and customers under NDA. Summary published publicly.
Q4 2027
SOC 2 Type 2 — 12-month operational period closes
Type 2 audits operating effectiveness over a 12-month period. The clock starts at Type 1 issuance. Report published Q1 2028.
Q1 2028
SOC 2 Type 2 — report published
Full operational evidence + auditor opinion. The certification enterprise customers most-often require.
Q2 2028
ISO 27001 — gap analysis
Independent gap analysis against ISO 27001:2022 Annex A controls. Remediation plan drafted.
Q4 2028
ISO 27001 — Stage 1 + Stage 2 audit
Certification audit conducted by accredited registrar. Three-year certification cycle begins.
Why these dates aren't earlier: SOC 2 Type 2 requires a 12-month operational period of evidence. There is no shortcut — you cannot buy a Type 2 for a product that has been live for 3 months. The dates above reflect the fastest credible path. Anyone claiming SOC 2 Type 2 in their first year of operation is either still in audit, has a misnamed report, or is misrepresenting.
2. Penetration testing — cadence and transparency
Cadence
Every 6 months
After launch
First test
Pre-launch
Q3 2026
Testing firm
Independent
Rotated annually
Methodology
OWASP ASVS
+ OWASP API Top 10
Public summary
Within 30 days
Of report issuance
Full report
Under NDA
Enterprise customers
Test scope
Web application
Authentication, authorization, session management, business logic flaws, IDOR, XSS, CSRF.
REST API
OWASP API Top 10, rate limiting, auth bypass, mass assignment, excessive data exposure.
Mobile (if applicable)
iOS + Android binary analysis, insecure storage, deep-link abuse.
Cloud infrastructure
AWS configuration review — IAM, S3, KMS, VPC, security groups.
SDLC
Source code review of critical paths — auth, payment, VAT engine.
Social engineering
Phishing simulation against employees + customer-support reps.
What we publish, what we don't
After every pen-test cycle:
- Published publicly within 30 days: The testing firm's name, the engagement window, the methodology, the number of findings by severity (critical / high / medium / low), confirmation that all critical and high findings were remediated, and the date of remediation.
- Available to Enterprise customers under NDA: The full pen-test report with specific findings, technical details, and reproduction steps.
- Never published: Active vulnerability details before remediation. Customer-specific findings. Personally identifiable information.
3. Vulnerability disclosure program
If you discover a security vulnerability in HIBR, here's how to report it responsibly. We commit to acknowledgement, communication, and reasonable remediation timelines.
Where to report
What we commit to
- Acknowledgement of receipt within 48 hours.
- Initial triage and severity assessment within 5 business days.
- Status updates every 7 business days until resolution.
- Remediation targets: Critical = 7 days, High = 30 days, Medium = 90 days, Low = best-effort.
- Public credit (if you want it) once the vulnerability is fixed.
- Coordinated disclosure — we ask researchers to give us reasonable time to fix before public disclosure, typically 90 days from initial report.
Safe harbor
Good-faith security research conducted in accordance with the rules of engagement (§5) is welcome. We will not pursue legal action against researchers who:
- Avoid privacy violations, destruction of data, or interruption to service.
- Only test on accounts they own or have explicit authorization to test.
- Report findings to us before publicly disclosing.
- Do not attempt to extort or threaten — these are not security research; they are crime.
4. Bug bounty program
HIBR will operate a public bug bounty program starting Q2 2027, six months after production launch. The delay is deliberate — running a bounty on a product before it has a stable production environment generates noise, not signal.
In the meantime (pre-launch through Q1 2027), we operate a discretionary recognition program:
- Eligible findings during this period receive recognition in our Hall of Fame.
- Critical findings receive a discretionary monetary award (range 1,000–10,000 depending on severity and impact).
- Reports must be original, not previously known, and not already in our backlog.
Expected bounty bands when the full program goes live (Q2 2027):
- Critical: 5,000–20,000
- High: 1,500–5,000
- Medium: 500–1,500
- Low: Recognition only
5. Testing scope & rules of engagement
In scope
hibr.ai and all subdomains under *.hibr.ai- HIBR Web Application (
app.hibr.ai)
- HIBR REST API (
api.hibr.ai)
- HIBR mobile applications (when released)
- Authentication and SSO flows
Out of scope
- Denial-of-service attacks (volumetric, rate-limit-busting, brute-force at scale)
- Social engineering of HIBR employees outside an agreed-upon engagement
- Physical security of HIBR offices or staff
- Findings on third-party infrastructure (AWS, Stripe, etc.) — report directly to the third party
- Spam or content injection that requires no authentication bypass
- Self-XSS that requires a user to paste content into their own console
- Missing security headers without demonstrable exploit
- Reports generated entirely from automated scanners without human verification
- Vulnerabilities in unsupported browsers (IE, Edge Legacy, browsers older than 2 major versions)
Important — test on your own data only. Create your own account, use only data you own, and never access another customer's account. Accessing another customer's data is not security research; it is a privacy violation and we will pursue it.
6. Trust reports & transparency
Once HIBR launches, we publish a quarterly Trust Report. It documents the previous quarter's:
- Total security incidents by severity
- Pen-test cycle status
- VDP and bug bounty activity (number of reports, remediation time, awards paid)
- Government data requests received (anonymized count, jurisdiction)
- Subprocessor changes
- Compliance milestones achieved
- Restore drill results (RTO and RPO actuals vs SLA commitments)
The first Trust Report covers Q4 2026 and is published in January 2027.
Want the full security pack for procurement?
Enterprise prospects receive the Data Processing Agreement, subprocessor list, pen-test summary, and SOC 2 readiness report under NDA. Reserve a beta seat to start the procurement conversation.
Reserve founder slot →