Last updated on May 12, 2022
All LVT employees undergo regular security training to ensure that security is always a central focus. Security training covers topics such as phishing detection, physical security best practices, cybersecurity best practices, and more. Additionally, access to all of our internal systems is controlled by a comprehensive identity and access management system, which utilizes single sign-on and multi-factor authentication (MFA).
LVT infrastructure is only accessible via a hardened virtual private network (VPN) connection, which requires an active account protected by MFA to authenticate. Access to the LVT cloud environment is restricted by job role and the principle of least privilege and is enforced by a comprehensive identity and access management system. Our state-of-the-art advanced analytics tools detect threats or vulnerabilities to the LVT infrastructure.
Edge systems are connected to the LVT Platform via a private network with various internet service providers (ISP). The private network connection with the ISPs ensures that communication between the edge unit and the LVT Platform is private and secure.
The LVT Platform uses role-based access controls to ensure that users only have access to the resources they need. The portal supports SAML and sign-in with Google for organizations wishing to use their own identity provider. All connections to our web portal are encrypted using TLS 1.2.
You can find more information about our vulnerability disclosure practices here.
Last updated on May 12, 2022
This policy outlines the procedures and requirements for external customers who wish to conduct penetration testing on LVT's products and services. Our aim is to ensure that all testing is conducted safely, responsibly, and in compliance with legal and operational guidelines.
This policy is applicable to all external large enterprise customers, seeking to perform penetration tests specifically on our staging servers, avoiding impacts on production environments.
All tests must be conducted under a signed NDA to protect the confidentiality and integrity of data and findings.
Requests for penetration testing must be submitted to our security team via email (security@lvt.com) at least 10 business days before the intended start. The request should include:
All testers must possess relevant certifications (e.g., OSCP, CEH) and/or demonstrate experience in conducting penetration tests. Testers should also undergo regular training to stay updated with the latest security practices and technologies.
Vendors should outline their proposed communication plan, detailing:
Testers must ensure that their activities are responsible and ethical, comply with all laws, and do not disrupt LVT's operational capabilities. Specific guidelines include:
A full report of the test findings must be submitted to our security team within 10 business days after testing concludes. The report should detail all vulnerabilities found, testing methods used, and any remediation recommendations.
Our security team will review the submitted report, track issues, and escalate them as needed. Customers can expect a preliminary response within 5 business days, followed by detailed discussions if necessary.
Violations of this policy may lead to revocation of testing permissions, potential legal action, and cessation of services, depending on the violation's severity.
For questions or to submit a testing request, please contact: security@lvt.com