Vulnerability Assessment and Penetration Testing Report Submission Guidelines

This document is a communiqué to Depository Participants (DPs) regarding the submission of the Annual Vulnerability Assessment and Penetration Testing (VAPT) report. It outlines the requirement for DPs to conduct VAPT annually between September and November and submit the final report to Central Depository Services (India) Limited (CDSL) within one month of completion. The report must be prepared by a CERT-In empaneled entity and uploaded in PDF format by December 31, 2024. The document details the scope of VAPT, which includes grey box assessments, vulnerability assessments of various infrastructures, external penetration testing, and configuration audits. It emphasizes the importance of addressing vulnerabilities identified in the initial report and conducting a revalidation assessment. Compliance with the submission timelines is crucial to avoid regulatory non-compliance. Additionally, the document provides step-by-step guidelines for the report submission process on the Audit Web Portal.