Security Testing Policy

Overview

Credenti is committed to maintaining the highest standards of cybersecurity, passwordless authentication, and Zero Trust access control. Our platform secures user access at the operating system login layer, application layer, and identity infrastructure layer.

We support responsible security testing and penetration testing conducted in a controlled and authorized manner. This Security Testing Policy defines the permitted scope, prohibited activities, and governance requirements for testing Credenti Software and Services.

Important: This policy applies specifically to customers and authorized third parties performing security testing on Credenti Software and Services. It does not describe or limit Credenti’s internal security practices. Credenti employs a comprehensive, multi-layered security program that includes a broad range of testing and validation methodologies such as secure development practices, static and dynamic analysis, internal and third-party penetration testing, and continuous security monitoring—beyond the scope of this policy.

Scope of Coverage

This policy applies to all Credenti Software and Services, including:

  • Passwordless authentication platforms
  • Secure workstation and device login solutions
  • Identity and Access Management (IAM) services
  • Browser extensions and endpoint agents
  • Operating system authentication and login components, including Windows Credential Providers, authentication packages, macOS login integrations, Linux PAM modules, and other pre-login or workstation unlock mechanisms
  • APIs, backend services, and authentication infrastructure
  • Containerized workloads, virtual machine images, and deployment artifacts
  • On-premise, cloud, hybrid, and air-gapped deployments

Permitted Security Testing

Credenti permits controlled, non-intrusive, and black-box security testing that evaluates system behavior without accessing internal implementation or proprietary logic.

Allowed Activities

  • Black-box penetration testing
  • Network and perimeter security testing
  • API testing using documented interfaces
  • Authentication and authorization flow validation
  • Configuration and policy validation
  • Non-destructive vulnerability scanning

These approaches align with modern Zero Trust validation principles, where systems are tested externally without exposing internal design or weakening identity assurance mechanisms.

Testing Methodologies and Restrictions

Credenti supports security testing approaches aligned with a Zero Trust model, where systems are evaluated externally without exposing internal implementation details.

Permitted Methodology

  • Black-box testing: Testing performed without access to source code, binaries, or internal system design

Restricted Methodologies

  • White-box testing: Testing that requires access to source code, internal architecture, or implementation details
  • Gray-box testing: Testing that relies on partial knowledge of system internals, APIs, or design
  • Static Application Security Testing (SAST): Code-level analysis, including source code review, binary decompilation, or reverse engineering

These restricted methodologies inherently involve access to or analysis of proprietary logic, authentication mechanisms, or operating system login integrations, and are therefore not permitted without explicit written authorization from Credenti.

Prohibited Activities

To protect Credenti’s passwordless authentication architecture, operating system login integrations, and proprietary security mechanisms, the following activities are strictly prohibited.

Reverse Engineering and Code Analysis

  • Decompiling, disassembling, decoding, or reverse engineering any Software component
  • Extracting or analyzing binaries, executables, or browser extensions
  • Inspecting container images, virtual machine images, or deployment artifacts
  • Debugging, instrumentation, or memory inspection
  • Decompiling, inspecting, or analyzing operating system authentication and login components, including Windows Credential Providers, authentication packages, macOS login integrations, Linux PAM modules, and related authentication mechanisms

AI-Based Analysis and External Processing

  • Uploading Software, binaries, artifacts, or outputs to artificial intelligence (AI) or machine learning platforms
  • Submitting Credenti components to code analysis tools or external SaaS environments
  • Using third-party services that require external upload of binaries, code, or proprietary artifacts

Internal Architecture Discovery

  • Attempting to derive or reconstruct source code
  • Attempting to derive system architecture, security controls, or authentication logic
  • Attempting to discover credential handling mechanisms or proprietary workflows

Disruptive or Malicious Testing

  • Denial-of-service (DoS or DDoS) attacks
  • Data exfiltration attempts
  • Unauthorized privilege escalation
  • Lateral movement beyond approved scope
  • Interference with production systems or user access

Unauthorized Sharing or Third-Party Access

  • Sharing Software, artifacts, or access with unapproved third parties
  • Using tools or platforms that require uploading code or binaries externally
  • Allowing unapproved vendors or testers to access Credenti systems

Testing Authorization Requirements

All security testing must be explicitly authorized in writing by Credenti prior to execution.

Requirements

  • Defined scope, systems, and timelines
  • Identification of the testing entity, whether internal or third party
  • Disclosure of the tools and methodologies to be used
  • Identification of the target environments
  • Agreement to comply with the Credenti EULA and this Security Testing Policy

Unauthorized testing is strictly prohibited.

Third-Party Testing Controls

If testing is conducted by a third party:

  • The third party must be approved by Credenti
  • The third party must be bound by confidentiality and non-disclosure obligations
  • The third party must comply fully with the Credenti EULA and this Security Testing Policy

The Customer remains fully responsible for all actions performed by third-party testers.

Data Handling and Confidentiality

All testing outputs, including logs, findings, and artifacts, are considered Confidential Information.

Requirements

  • No public disclosure without prior written approval
  • No upload to external or third-party platforms
  • No use for competitive analysis or product development
  • Secure storage and controlled access at all times

Vulnerability Disclosure

Credenti encourages responsible disclosure of security findings.

Report Vulnerabilities

Email: security@credenti.com

Please include:

  • Detailed description of the issue
  • Steps to reproduce
  • Impact assessment
  • Supporting evidence, such as logs, screenshots, or traces

Safe Harbor

Credenti will not pursue legal action against security researchers who:

  • Act in good faith
  • Comply with this policy
  • Avoid exploitation beyond necessary validation
  • Do not violate applicable laws or compromise user data

Zero Trust and Passwordless Security Alignment

Credenti’s platform is built on:

  • Passwordless authentication with no shared secrets
  • Phishing-resistant identity verification
  • Device and context-based access control

Security testing must respect these controls and must not attempt to bypass or weaken identity assurance mechanisms outside approved scenarios.

Enforcement

Violations of this policy may result in:

  • Immediate suspension of access
  • Termination of agreements
  • Legal action under applicable law
  • Enforcement under intellectual property protections and confidentiality obligations