Last updated Jun 14, 2026

Pentest engagement template

Annual external pentest contracted with a recognised security firm. Quarterly internal purple team rotates among the bounded-context owners.

Scope

In scope

The Matter API surface at api.mattermode.com (live + sandbox endpoints).
The dashboard at app.mattermode.com.
The marketing surface at mattermode.com (XSS / CSRF / supply chain).
The MCP server surface at mcp.mattermode.com.
Authentication flows (bearer, mTLS, M2M OAuth, SAML, SCIM, step- up).
Webhook delivery + signature verification.
Audit chain integrity + Rekor anchoring.
Mode segregation (live / sandbox / test).
Per-tenant isolation.
Secrets management (token revocation, KMS rotation).

Out of scope

The customer's own infrastructure receiving our webhooks.
Third-party providers (Clerk, Vercel, Neon) — escalate to them for their pentest scope.
DDoS / sustained volumetric attacks (handled by edge provider).

Rules of engagement

Testing window: 2 weeks, off-peak (no marketing campaigns or customer demos scheduled).
Test environment: dedicated staging environment with production-scale data (PII-scrubbed); not production.
Rate limits relaxed (10x) for the test window; the testers' source ASN is allow-listed.
Customer-impact incidents triaged within 15 minutes; testing pauses until resolved.
All findings reported via the bug bounty tracker with CVSS scoring.

Deliverables

The engaged firm provides:

Findings report — every finding with CVSS, repro steps, affected surface, recommended remediation. Delivered within 2 weeks of test window close.
Executive summary — 1-page risk roll-up for board + SOC 2 auditors.
Re-test after remediation, included in engagement fee.

Internal preparation

Before each engagement:

Threat model up-to-date (threat-model.mdx).
All canary credentials rotated.
PII canary deployed (pii-canary.ts).
Anomaly detection thresholds tightened for the test window.
Test-environment seeded with realistic data.
Bounded-context owners briefed.

Internal follow-through

Each finding flows through the tracker (apps/api/lib/pentest-tracker.ts):

Critical: 7-day remediation SLA.
High: 30 days.
Medium: 60 days.
Low: 120 days.

SLA breach pages the security on-call.

Reciprocity

Matter publishes a public security page with:

Bug-bounty policy.
Coordinated disclosure timeline.
Acknowledgements for reporters (with consent).

Located at mattermode.com/security.

Pentest engagement template

Annual external penetration test scope of work.

Last updated Jun 14, 2026

Pentest engagement template

Annual external pentest contracted with a recognised security firm. Quarterly internal purple team rotates among the bounded-context owners.

Scope

In scope

The Matter API surface at api.mattermode.com (live + sandbox endpoints).
The dashboard at app.mattermode.com.
The marketing surface at mattermode.com (XSS / CSRF / supply chain).
The MCP server surface at mcp.mattermode.com.
Authentication flows (bearer, mTLS, M2M OAuth, SAML, SCIM, step- up).
Webhook delivery + signature verification.
Audit chain integrity + Rekor anchoring.
Mode segregation (live / sandbox / test).
Per-tenant isolation.
Secrets management (token revocation, KMS rotation).

Out of scope

The customer's own infrastructure receiving our webhooks.
Third-party providers (Clerk, Vercel, Neon) — escalate to them for their pentest scope.
DDoS / sustained volumetric attacks (handled by edge provider).

Rules of engagement

Testing window: 2 weeks, off-peak (no marketing campaigns or customer demos scheduled).
Test environment: dedicated staging environment with production-scale data (PII-scrubbed); not production.
Rate limits relaxed (10x) for the test window; the testers' source ASN is allow-listed.
Customer-impact incidents triaged within 15 minutes; testing pauses until resolved.
All findings reported via the bug bounty tracker with CVSS scoring.

Deliverables

The engaged firm provides:

Findings report — every finding with CVSS, repro steps, affected surface, recommended remediation. Delivered within 2 weeks of test window close.
Executive summary — 1-page risk roll-up for board + SOC 2 auditors.
Re-test after remediation, included in engagement fee.

Internal preparation

Before each engagement:

Threat model up-to-date (threat-model.mdx).
All canary credentials rotated.
PII canary deployed (pii-canary.ts).
Anomaly detection thresholds tightened for the test window.
Test-environment seeded with realistic data.
Bounded-context owners briefed.

Internal follow-through

Each finding flows through the tracker (apps/api/lib/pentest-tracker.ts):

Critical: 7-day remediation SLA.
High: 30 days.
Medium: 60 days.
Low: 120 days.

SLA breach pages the security on-call.

Reciprocity

Matter publishes a public security page with:

Bug-bounty policy.
Coordinated disclosure timeline.
Acknowledgements for reporters (with consent).

Located at mattermode.com/security.

Pentest engagement template

Pentest engagement template

Scope

In scope

Out of scope

Rules of engagement

Deliverables

Internal preparation

Internal follow-through

Reciprocity

On this page

Pentest engagement template

Pentest engagement template

Scope

In scope

Out of scope

Rules of engagement

Deliverables

Internal preparation

Internal follow-through

Reciprocity

On this page