As a part of selling our solution to enterprise customers we complete penetration testing regularly. The results from which identify which elements of the Bubble environment (outside the control of the application developer) that are out of compliance with current GDPR, PCI DSS and OWASP ASVS requirements.
Where should these results be sent? Does anyone care, that a vulnerability in the Bubble environment immediately prevents 100% of its customers being able to claim GDPR compliance?
Our last round of testing has identified two libraries preventing GDPR compliance being granted and raft of others that a low vulnerabilities. Where do we send this information?
Or is the answer that such vulnerabilities should be hashed out here on the forum? Looking through the forum, the tendency is to try and shut these posts down as fast as possible rather than establish a proper communication flow. Thoughts?
