Has there been a third-party security audit?

We are starting to deploy Zammad within human rights and humanitarian use contexts. Our first task has been to work on a general hardened deployment configuration and container. We hope to share and publish this soon.

Beyond that, we were curious if there has been any third-party code audit, pen testing, or other external review of Zammad?

If so, were there any public outcomes?

If not, we would be interesting in help making this happen.