Jitbit External Penetration Testing Policy

Document Version: 1.0
Published Date: April 1st, 2024

Why Jitbit Conducts External Penetration Testing

Jitbit requires periodic external penetration testing to proactively identify and fix security vulnerabilities in our SaaS Helpdesk software and hosting infrastructure. Rather than waiting for attackers to find weaknesses, we hire independent security professionals to simulate real-world attacks against our systems — then we fix what they find before it becomes a problem for our customers.

This penetration testing policy documents the frequency, scope, and remediation process that governs every engagement. It is one part of a broader security program that includes our Software Development Life Cycle (SDLC) Policy, Backup Policy, and Business Continuity Plan.

Scope of Penetration Testing

This policy applies to all IT systems, networks, and applications owned or operated by Jitbit that are accessible from external networks. That includes the Jitbit Helpdesk web application, its supporting APIs, database infrastructure, and every server reachable from the public internet.

Penetration Testing Policy Statement

Jitbit engages an external, certified third-party security firm to conduct penetration testing twice per year. These tests are designed to uncover any security vulnerabilities within our software and hosting environments before they can be exploited. By mandating independent testing, we ensure our security posture is evaluated objectively — not just by the same team that built the systems.

How Penetration Tests Are Conducted

Frequency: Penetration testing is performed biannually (twice per year), with additional tests scheduled after significant infrastructure changes.
Testing Agency: All tests are conducted by an external, certified third-party security firm with no affiliation to Jitbit's development or operations teams.
Scope of Testing: Each engagement covers all external-facing systems and networks, including web applications, APIs, databases, and server infrastructure. Testing methodologies follow industry-standard frameworks such as OWASP and PTES.

Post-Testing Remediation Process

Review of Results: Penetration test results are reviewed in detail by the IT security team together with the CTO. Every finding is classified by severity and assigned to the appropriate team for remediation.
Resolution Timeline: All critical or serious issues are resolved within six months of the test date. High-severity vulnerabilities are prioritized for immediate action, with patches typically deployed within weeks.
Verification: After remediation, fixes are verified through retesting to confirm that the identified vulnerabilities have been fully addressed.

Confidentiality of Test Results

Penetration testing results are held strictly confidential and are not shared with any third party. Access to reports is limited to authorized security personnel and senior leadership. This protects both Jitbit and our customers by ensuring that detailed vulnerability information never reaches unauthorized parties.

An example summary report (with sensitive details redacted) is available here.

Compliance and Monitoring

Compliance with this penetration testing policy is monitored by the IT security department and reported directly to the CTO. Any deviation from the testing schedule or remediation deadlines is flagged and addressed promptly. This oversight ensures that penetration testing remains a consistent, reliable part of Jitbit's security program — not a one-time exercise.

Penetration testing is one component of Jitbit's comprehensive approach to security. For a complete picture of how we protect your data, see:

Security and Privacy FAQ — Answers to the most common security questions from customers
Software Development Life Cycle (SDLC) Policy — How we build secure software from the ground up
Backup Policy — How we protect your helpdesk data with multi-layered backups
Business Continuity Plan — How we maintain service during disruptions
SLA Policy — Our 99.98% uptime guarantee and credit terms