Skip to main content

Vulnerability Management

This page describes how Sotera identifies, evaluates, and remediates security vulnerabilities in the Breeze platform.

Penetration testing

The Breeze platform undergoes periodic third-party penetration testing. Engagements typically cover:

  • The authenticated and unauthenticated web-application surface of the customer portal.
  • The GraphQL and REST API surface exposed by the backend.
  • The single sign-on and eID flows (OAuth 2.0, OIDC).
  • Common web-application risk classes from the OWASP Top 10.

Findings are triaged using a severity-based prioritization process, with critical and high-severity issues remediated as expedited fixes through the standard release process. Reports are made available to customers under a non-disclosure agreement; please request through your account contact.

Dependency hygiene

The Breeze backend and frontend pin all dependencies to exact versions to ensure deterministic, reproducible builds. Continuous integration runs on every pull request and includes:

  • TypeScript type checking.
  • Build verification across both the backend and frontend.

Dependency upgrades for security-relevant fixes are prioritized and ride the standard CI/CD release flow. Sotera continues to expand its automated software-supply-chain checks; updates will be reflected on this page as they are introduced.

Internal review

Code review is mandatory: every change to production code is reviewed by at least one engineer other than the author before it can be merged. The review specifically considers:

  • Authorization and tenant-scoping correctness on new resolvers.
  • Handling of user-supplied input in places that produce HTML or queries.
  • Error handling and the avoidance of sensitive-data disclosure in errors.
  • Logging — confirming that secret material is never written to logs.

Vulnerability disclosure

If you believe you have identified a vulnerability in the Breeze platform, please contact:

security@sotera.no

We follow a coordinated-disclosure approach: please give us a reasonable opportunity to investigate and remediate before public disclosure. We will acknowledge your report on receipt and keep you informed of our progress through resolution.

When reporting, please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce, or a proof-of-concept where possible.
  • The affected URLs, endpoints, or features.
  • Your contact information for follow-up.

Patching

Security-relevant fixes are deployed through the standard CI/CD pipeline. Critical issues that cannot wait for the next scheduled release are deployed as expedited hotfixes after the same code-review and automated-check gates as a normal release.

Customer-impacting security advisories — for example, a vulnerability that requires customer action to mitigate — are communicated through the customer's account contact and, where applicable, through the partner channel.