News
Welcome to QMENTA
We are pleased to announce that, as part of our rebranding, our brand name has been changed to QMENTA. After 4 years as Mint Labs and achieving...
Every year, we bring in an independent third party to try to break into our platform. And this year, we are publishing the results — not because we're required to, but because we think you deserve to know.
Transparency about security isn't always comfortable. Publishing findings opens you up to scrutiny. But we believe that accountability builds trust more reliably than silence does. So here's our 2025 annual security assessment final result: zero open critical, high, or medium vulnerabilities. Our cleanest result to date — and this year, we tested more surface area than ever before.
What Is a Web Application Security Assessment, and Why Do We Do It Every Year?
A Web Application Security Assessment (WASA) is a structured, authorized evaluation designed to find weaknesses in a system before someone with bad intentions does. It goes beyond a traditional penetration test: while a pentest focuses on probing servers and services, a WASA focuses on in-depth manual testing of the application itself — for example, checking whether a user could access another user's data they shouldn't be able to see, or whether an attacker could exploit injection vulnerabilities by embedding malicious code into inputs like shared project names.
We commission this assessment annually from the same security firm we've worked with since 2020. The primary objective is to determine the security level of the web application from both an external and internal perspective, covering common known web attacks including the OWASP Top Ten, as well as application-specific attack vectors. Using a white box approach — meaning the testers are given documentation, architecture details, and internal context rather than starting blind — they can probe more deeply than a purely external attacker would.
This year's scope was the broadest we've run. In addition to our core Platform (which has been assessed every year), we included our new Central Review (CR) application (not released at the time) and our new Identity and Access Management (IAM) system centralizing the authentication between the apps (SSO).
More components in scope means more potential exposure to assess — and more confidence in the results when they come back clean.
What They Found
The 2025 assessment final result is 3 low-severity findings. Low-severity findings are potential vulnerabilities with low damage potential and violations of security best practices. Here's how the full breakdown looked:
|
Severity |
Count |
|
Critical |
0 |
|
High |
0 |
|
Medium |
0 |
|
Low |
3 |
One thing worth underscoring: all testing was conducted in a staging environment. No production systems were accessed during the assessment, and no customer data was ever at risk.
How We Responded
We follow a structured remediation process. Critical findings — had there been any — would have been addressed immediately, before anything else. High and medium issues follow on the same priority track.
The three low-severity findings from this year's test went through our formal risk assessment process. Each one was evaluated for likelihood, potential impact, and remediation effort. Two were resolved through code or configuration changes; one was accepted with documented compensating controls in place. All findings, regardless of severity, are tracked to closure and verified through re-testing by the same independent firm.
This process isn't ad hoc. It's the same structured approach we've applied every year since we began publishing these results.
How This Year Compares to Previous Years
We've been running annual assessments since 2020. Here's the full picture:
|
Year |
Critical |
High |
Medium |
Low |
Scope |
|
2020 |
0 |
0 |
8 |
1 |
Platform |
|
2021 |
0 |
1 |
3 |
1 |
Platform |
|
2022 |
0 |
0 |
4 |
3 |
Platform |
|
2023 |
0 |
0 |
2 |
1 |
Platform |
|
2024 |
0 |
0 |
6 |
4 |
Platform |
|
2025 |
0 |
0 |
0 |
3 |
Platform + CR + SSO |
A few things stand out. 2025 is the first year we've closed out with zero critical, high, or medium findings. The uptick in medium findings between 2023 and 2024 is a good reminder that security isn't a straight line; adding features and components naturally introduces new considerations, and attackers find new creative ways to breach existing systems.
What makes the 2025 result particularly meaningful is that we expanded the scope significantly. Testing three systems instead of one and still coming out with only three low-severity issues isn't luck — it reflects deliberate security work done throughout the year, not just in response to audit findings.
What We're Building Toward
Passing an annual audit is a milestone, not a finish line. The threat landscape keeps shifting, and so does our approach to staying ahead of it.
We're continuing to push security earlier in the development cycle — what the industry calls "shift left." The idea is straightforward: catching a security issue during design or development is far cheaper and less disruptive than catching it in production. This means integrating automated scanning into our CI/CD pipeline, requiring security review as part of our definition of "done" for new features, and treating security as a first-class requirement from day one — not an afterthought.
This isn't a reaction to anything that went wrong. It's where the field is heading, and we want to be building accordingly.
One area we're actively investing in is Software Composition Analysis (SCA). While we generate a comprehensive Software Bill of Materials (SBOMs) to inventory every direct and transitive dependency in our systems, SCA takes that visibility a crucial step further. Supply chain attacks have become one of the most significant risk vectors in the industry. In the OWASP Top 10:2025 community survey, 50% of respondents ranked software supply chain failures as their number one risk. By leveraging SCA, we don't just log what's running inside QMENTA; we continuously analyze and monitor those components to automatically detect and remediate vulnerabilities in third-party libraries.
Security as an Ongoing Commitment
The annual WASA is one layer of a broader security posture. It sits alongside continuous monitoring, internal code reviews, dependency scanning, access controls, encryption standards, and the processes we follow every day. No single audit, however thorough, captures everything. What they do is force accountability — to look carefully, fix what's found, and document the work.
We'll keep publishing these results every year. If you're a QMENTA customer or partner and you have questions about any of this — about our security practices, our architecture, or what any of these findings actually mean in practice — please reach out. These conversations matter to us, and we'd rather have them openly than not at all.
Hernan Foffani is a Principal Engineer at QMENTA.
Léo Gabaix is an Application Security Engineer at QMENTA.
