Security
Last reviewed: 2026-04-20 · v2.2.1-D
Certifications & audits
- SOC 2 Type II — In progress, observation window opened Q1 2026. Report expected Q3 2026.
- Penetration testing — latest internal full-stack assessment: 2026-04-17 (v2.2.0-S1).
- ISO 27001 — gap assessment complete; certification targeted H2 2026.
CVE patching SLA
| Severity | Patch within | Tracked in |
|---|---|---|
| Critical (CVSS 9.0+) | 24 hours | BUG_TRACKER.md |
| High (CVSS 7.0-8.9) | 7 days | BUG_TRACKER.md |
| Medium (CVSS 4.0-6.9) | 30 days | BUG_TRACKER.md |
| Low (CVSS < 4.0) | Next minor release | BUG_TRACKER.md |
Incident history (12 months)
| Date | Class | Status | Summary |
|---|---|---|---|
| 2026-04-17 | Internal pentest | Closed | Sprint v2.2.0-S1 pentest — all HIGH/CRITICAL remediated before public ship. |
| — | — | — | No customer-impacting incidents in the rolling 12-month window. |
Reporting a vulnerability
Email security@simplification.io. PGP key available on request. We target acknowledgement within 24 hours and triage within 72.