Detectify regularly, at least annually, commissions external penetration testing of our assets. Being a security company, we also use our own tools on a weekly basis.
On top of that, Detectify has a responsible disclosure program where anyone can report weaknesses. See: https://detectify.com/responsible_disclosure. Findings are notified to Detectify and immediate and adequate actions are taken to remedy findings.