Independent penetration test.

Engagement

Vendor

Cure53

Type

Web, mobile (iOS and Android, including the React Native Web build), API and authentication

Testing window

1 to 19 June 2026

Final report

26 June 2026

Retest deadline

31 July 2026

Retest cleared

31 July 2026

Status

Closed. Zero unremediated critical or high findings at retest.

Scope

In scope: the Discern API server (every authenticated route, the magic-link sign-in flow, session bearer-token handling, audit log integrity, rate limiting, security headers, file upload paths, and the Stripe and RevenueCat webhooks); the Discern mobile client on iOS, Android, and the web build, including the deep-link handlers and secure-store usage of the bearer token; the marketing site and curator console (surface review for cross-site scripting, clickjacking, and open redirector abuse); the per-user data scoping boundary, the consent and legal-acceptance gates, the curator and user boundary; signed-URL handling for object storage; database least-privilege roles; and secrets exposure.

Out of scope: physical security, social engineering, denial-of-service against the production database, the on-device language-model features, and the third-party providers we depend on (those vendors run their own programmes and we hold their attestations on file).

Findings by severity

Severity follows the vendor report (CVSS 3.1 base score, with their written justification overriding raw CVSS where they disagree). Critical findings are fixed within seven calendar days, high within twenty-eight, before public launch.

The 2 low / informational findings not closed before launch were accepted as documented mitigations under the engagement SLA, each with a tracked follow-up and sign-off from the security owner.

Fixed findings

One line per finding fixed before launch, in severity order. The detail in the confidential report is omitted here on purpose: enough to recognise the class of issue and confirm it was closed, not enough to reproduce.

• HighMagic-link sign-in: a timing variance in token comparison was tightened to a constant-time check before launch.
• MediumSession bearer tokens: the secure-store key on Android was widened to require device unlock; iOS already required this.
• MediumFile upload: signed-URL lifetime on the avatar upload path was shortened and bound to the requesting user.
• MediumCurator console: a reflected query parameter on a search route was hardened against HTML injection.
• LowSecurity headers: the Permissions-Policy header was extended to cover three additional sensors.
• LowRate limiting: the password-reset endpoint gained a per-account counter alongside the per-IP counter.
• LowAudit log: a redundant index was added to keep retention sweeps inside the documented latency budget.
• LowStripe webhook: idempotency-key handling now rejects replays with a 200 response and a structured log line.
• LowMobile deep links: an unused universal-link entitlement was removed from the iOS build.
• LowMarketing site: the FAQ JSON-LD payload now escapes a backtick character that confused some validators.
• LowRevenueCat webhook: the request-signature header is now rejected when missing rather than treated as optional.

Reporting a vulnerability

If you believe you have found a security issue in Discern, please email security@discern.app. We acknowledge reports within two working days and keep the reporter informed through to remediation. We do not pursue legal action against good-faith research that respects the bounds set out in our acceptable-use policy.

Other privacy and data questions

Read the privacy notes on the About page, or the full data and processing detail in our policies linked from the footer.