We have comprehensive policies for how we handle security across the organization that applies to all systems, people and processes that constitute the organization's information systems, including board members, employees, suppliers, and other third parties with access to our systems.
Since Highcharts is a client side library, we don’t see penetration testing relevant. However we have done vulnerability testing with Checkmarx, and in particular focused on XSS exploitation. In addition to this testing, our CI test suite is set up with the examples from the OWASP XSS Filter Evasion Cheat Sheet.
Extending our core products, Highcharts may also refer to files on other web servers, or send chart configurations across the web. Such instances, and how to deal with them, are covered in our General Documentation.