Question VULN-04
Will you provide results of application and system vulnerability scans to the institution?
| Weight | 25 |
| High Risk | Yes |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
EDUCAUSE provides no guidance here
Answering "NO"
Describe why security scan results will not be provided to the institution.
Answering "YES"
Provide a reference to security scan documentation.
Reason for Question
If a vendor is scanning their applications and/or systems, oftentimes an institution will want to review the report, if possible. Preferably, any finding on the reports will have a matching mitigation action.
Follow-Up Inquiries
If a vendor is hesitant to share the report, ask for a summarized version; some insight is better than none.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]