{ "$defs": { "Confidentiality": { "description": "Cross-cutting confidentiality classification used across privacy,\nsecurity, knowledge, IR pillars. Default rendering rule: `corpospec-report`\nexcludes `Restricted | BoardOnly | InvestorOnly` records from public output\nunless an explicit audience parameter overrides. See BDR 0076 ยง1.", "oneOf": [ { "const": "public", "description": "Safe to publish anywhere.", "type": "string" }, { "const": "customer", "description": "Visible to customers under standard ToS.", "type": "string" }, { "const": "internal", "description": "Employees and contractors only.", "type": "string" }, { "const": "restricted", "description": "Need-to-know subset of internal.", "type": "string" }, { "const": "board_only", "description": "Board members and direct staff.", "type": "string" }, { "const": "investor_only", "description": "Existing investors + prospective with NDA.", "type": "string" } ] }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" }, "PentestFinding": { "description": "One finding.", "properties": { "cvss_score": { "format": "double", "type": "number" }, "cwe_id": { "description": "CWE classifier.", "type": [ "string", "null" ] }, "description": { "type": "string" }, "exploitation": { "description": "Exploitation narrative.", "type": "string" }, "fixed": { "description": "Whether fixed at retest.", "type": "boolean" }, "fixed_on": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ] }, "id": { "type": "string" }, "impact": { "type": "string" }, "recommendation": { "type": "string" }, "severity": { "$ref": "#/$defs/PentestFindingSeverity" }, "title": { "type": "string" }, "tracker_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to a tracking ticket / vulnerability record." } }, "required": [ "id", "title", "severity", "cvss_score", "description", "exploitation", "impact", "recommendation", "fixed" ], "type": "object" }, "PentestFindingSeverity": { "description": "Finding severity (CVSS-aligned).", "enum": [ "informational", "low", "medium", "high", "critical" ], "type": "string" }, "PentestKind": { "description": "Pentest type.", "oneOf": [ { "const": "external", "description": "External / internet-facing services.", "type": "string" }, { "const": "internal", "description": "Internal network / lateral movement.", "type": "string" }, { "const": "web_application", "description": "Web application.", "type": "string" }, { "const": "mobile_application", "description": "Mobile application.", "type": "string" }, { "const": "api", "description": "API surface.", "type": "string" }, { "const": "cloud", "description": "Cloud configuration.", "type": "string" }, { "const": "wireless", "description": "Wireless / RF.", "type": "string" }, { "const": "physical", "description": "Physical / facility.", "type": "string" }, { "const": "social_engineering", "description": "Social engineering / phishing.", "type": "string" }, { "const": "red_team", "description": "Red-team / adversarial campaign.", "type": "string" }, { "const": "purple_team", "description": "Purple-team (collaboration).", "type": "string" } ] }, "PentestKnowledgeModel": { "description": "Knowledge model.", "oneOf": [ { "const": "black_box", "description": "No prior knowledge (external attacker simulation).", "type": "string" }, { "const": "grey_box", "description": "Partial knowledge (typical user account).", "type": "string" }, { "const": "white_box", "description": "Full source / architecture access.", "type": "string" } ] }, "PentestMethodology": { "description": "Methodology framework.", "oneOf": [ { "enum": [ "other" ], "type": "string" }, { "const": "owasp_wstg", "description": "OWASP Web Security Testing Guide (WSTG).", "type": "string" }, { "const": "owasp_asvs", "description": "OWASP Application Security Verification Standard.", "type": "string" }, { "const": "owasp_mstg", "description": "OWASP Mobile Security Testing Guide.", "type": "string" }, { "const": "owasp_api_security", "description": "OWASP API Security Top 10.", "type": "string" }, { "const": "ptes", "description": "Penetration Testing Execution Standard (PTES).", "type": "string" }, { "const": "nist_sp800115", "description": "NIST SP 800-115.", "type": "string" }, { "const": "osstmm", "description": "OSSTMM (Open Source Security Testing Methodology Manual).", "type": "string" }, { "const": "mitre_attack", "description": "MITRE ATT&CK-aligned red-team campaign.", "type": "string" } ] }, "PentestStatus": { "description": "Engagement lifecycle.", "enum": [ "scoping", "in_progress", "reporting", "awaiting_retest", "closed" ], "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/penetration-test.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Pentest engagement record.", "properties": { "attestation_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the attestation letter (for SOC 2 / PCI auditors)." }, "confidentiality": { "$ref": "#/$defs/Confidentiality" }, "ended_on": { "$ref": "#/$defs/IsoDate" }, "entity": { "$ref": "#/$defs/PathRef" }, "findings": { "items": { "$ref": "#/$defs/PentestFinding" }, "type": "array" }, "id": { "$ref": "#/$defs/PathRef" }, "in_scope_systems": { "description": "PathRefs to systems within scope.", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "kind": { "$ref": "#/$defs/PentestKind" }, "knowledge_model": { "$ref": "#/$defs/PentestKnowledgeModel" }, "methodology": { "$ref": "#/$defs/PentestMethodology" }, "report_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the final report." }, "retest_due_date": { "$ref": "#/$defs/IsoDate" }, "scope": { "type": "string" }, "started_on": { "$ref": "#/$defs/IsoDate", "description": "Engagement start date." }, "status": { "$ref": "#/$defs/PentestStatus" }, "vendor": { "description": "Vendor / firm conducting the test.", "type": "string" } }, "required": [ "id", "entity", "kind", "methodology", "knowledge_model", "scope", "in_scope_systems", "vendor", "started_on", "ended_on", "findings", "status", "retest_due_date", "confidentiality" ], "title": "PenetrationTest", "type": "object", "x-corpospec-pillar": "legal" }