Penetration Test Scope (Pre-Launch)
In Scope
- Public HTTP APIs (all auth/user/billing/provision/admin/storage endpoints)
- WebSocket endpoints (terminal + planned notifications)
- AuthN/AuthZ enforcement and tenant boundary controls
- Stripe webhook handling and replay protections
- Secret handling and sensitive data exposure
Out of Scope
- Third-party provider internals (Stripe infrastructure)
- Customer-managed GPU node internals outside agent setup path
Success Criteria
- No unresolved critical/high vulnerabilities.
- Medium findings have mitigation or accepted risk with owner and date.
- Retest confirms remediation for critical/high findings.
Required Artifacts
- Test plan
- Findings report with CVSS/severity
- Remediation tracker
- Retest report