🕵️ Vulnerability Scanning Process

1. Purpose

This document explains Nemu Inc.’s process for conducting internal and/or external vulnerability assessment activities.

2. Scope

Covers:

• Application-level vulnerabilities in web and API services.
• Dependencies used in Nemu Inc.’s software.
• CSP-managed services where vulnerability visibility is available.

3. Scanning Methods

• Dependency Scanning:
  • Use of tools such as npm audit or repository-integrated scanners (e.g., GitHub Dependabot) to identify vulnerable libraries.
• Application and Infrastructure:
  • CSP-level scanning and monitoring where provided.
  • Optional use of third-party scanning services for public endpoints.

4. Process Steps

1. Identify Vulnerabilities:
   • Monitor tools for new findings.
2. Triage and Prioritize:
   • Classify by severity and exploitability.
3. Remediation:
   • Update dependencies, adjust configurations, or apply patches.
4. Validation:
   • Confirm issues are resolved via rescans or tests.
5. Documentation:
   • Record key findings and remediation steps.

5. Latest Scan Results

• Nemu Inc. maintains internal records of recent vulnerability scans and resolutions, which may be shared with customers under NDA upon request.

6. Audit Evidence

• Example vulnerability scan reports (with sensitive details redacted).
• Records of remediation tickets and code changes.
• Documentation of scanning schedule and tools.

7. Compliance Mapping

• SOC 2: CC7.1, CC7.2
• ISO 27001:2013: A.12.6.1

Contact: support@mynemu.com
© 2025 Nemu Inc.. All rights reserved.