# Vulnerability Assessment

1. For solutions handling personal data: Complete a vulnerability assessment if it is stated as **mandatory** in your solution's requirements checklist.

{% hint style="info" %}
Vulnerability Assessment (VA) is the examination of an information system or product to determine the adequacy of security measures; the identification of security deficiencies; to predict the effectiveness of the proposed security measures; and to confirm the adequacy of such measures after implementation.
{% endhint %}

2. Check your [solution's category requirements](/pre-approval-guide/stage-1-vendor-self-assessment/identify-suitable-solution-category.md) to determine if a vulnerability assessment is mandatory. The vulnerability assessment requirement is shown in the table below.

| <p>Has your solution undergone a comprehensive security vulnerability assessment/penetration testing (VA/PT) conducted by a qualified third-party within the last 12 months? The scope of the VA/PT must cover network security; application security; data protection measures and access control (if applicable); API security testing (if applicable); Cloud security configuration review (if applicable). Specifically, for web application security, the scope must cover minimally all OWASP Top 10 vulnerabilities.</p><p>Please submit the VA/PT report (dated maximum 1 year from the checklist submission date). The VA/PT Report must include Executive summary; Detailed findings and risk ratings; Remediation recommendations; Evidence of vulnerability fixes or mitigation plans; Testing methodology used; Scope of assessment; Assessor's qualifications and certifications.</p><p>If you are the reseller of the solution, please obtain the VA/PT report from your product principal. SOC 2 Type II report can be accepted if the detailed technical vulnerability assessment results are part of the SOC2 Type II scope.</p><p><br>Note:<br>\[1] Qualified third-party refers to: CREST-certified companies \[<a href="https://www.crest-approved.org/members/"><https://www.crest-approved.org/members/></a>] or companies with security professional with relevant CREST certifications; Security professionals with recognised certifications such as: Offensive Security Certified Professional (OSCP); EC-Council Certified Penetration Testing Professional (CPENT); GIAC Penetration Tester (GPEN); or other equivalent industry-recognised certifications.</p> |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

{% hint style="info" %}
**Preparing for submission?**

* Your submission should include&#x20;

a) Name of the 3rd party assessor
\
b) Date of the assessment test
\
c) Submit the latest Vulnerability Assessment report and name the file as "Vulnerability Assessment Report DDMMYYYY.pdf".

* Vulnerability Assessment Test must be conducted within the past year from checklist assessment
* The report must not have high or critical findings
* The scope should be on the to-be-approved solution
  {% endhint %}

{% hint style="success" %}
Tips: We recommend starting with this step first while working on other parts of your pre-approval application simultaneously.
{% endhint %}

{% hint style="warning" %}
FAQ

Q: Can I submit my application before completing this requirement?

A: No, this requirement must be fulfilled before submission. However, you can work on this while preparing other application requirements.&#x20;
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://preapproval-guide.imda.gov.sg/pre-approval-guide/stage-2-vendor-application/preparing-submission/create-new-draft-submission/solution-category-requirements/vulnerability-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.