...
a. Before all releases – mayor major and minor – a penetration test is performed by a 3rd party under the supervision of Digizuite’s security officer. Releases do not pass if there are critical, high, or medium issues identified which are not assessed and handled. Issues tagged as “low” (or similar) are assessed and a) added to the development backlog or b) addressed immediately.
...
f. Customers – or a partner – may in coordination with Digizuite perform penetration testing or other vulnerability assessment tests. Depending on contractual agreements Digizuite will give identified vulnerabilities classified as critical and high – if such are identified – immediate attention. Issues classified as low or medium will be evaluated before the planning of the following mayor major or minor release. It is a concern that changes made to handle low severity findings may introduces other risks.