VulnBank is proudly compliant with absolutely nothing.
We have undergone rigorous internal audits (we Googled "is my app secure" and clicked "I'm Feeling Lucky") and are pleased to report the following compliance status:
We don't just fail the OWASP Top 10. We implement all 10 as features. SQL injection, XSS, SSRF, IDOR, broken authentication, security misconfiguration... we have the full collection.
Payment Card Industry standards require encrypted storage of sensitive data. We store passwords in plaintext and serve JWT tokens from localStorage. PCI DSS auditors are welcome to cry.
The right to be forgotten is technically achievable through our admin panel's unsecured delete endpoint. Anyone can forget you. Whether you wanted them to is another matter.
Our access controls consist of a JWT that never expires, an admin panel hidden behind a guessable URL, and a profile picture upload that doubles as a server-side request forgery tool.
We operate a full-disclosure policy in the most literal sense: every vulnerability is fully disclosed in the source code via helpful HTML comments like <!-- Vulnerability: No CSRF protection -->. We believe in making penetration testers' lives easier.
In the event of a security breach, our incident response plan is to remind everyone that the application is called "Vulnerable Bank" and that this was the plan all along. Mean time to acknowledgment: immediate. Mean time to remediation: never.