> Their audit found that our app has no outstanding vulnerabilities.
Either I'm misunderstanding what they mean by "outstanding" or this is a very bold claim. Shouldn't they be saying something like "Their audit found no vulnerabilities in our app."
I think it means that they resolved any found vulnerabilities before the audit was published. Therefore none of the found vulnerabilities were _outstanding_ when they published it. In this case _outstanding_ means that the auditors have not yet verified a fix.
Either I'm misunderstanding what they mean by "outstanding" or this is a very bold claim. Shouldn't they be saying something like "Their audit found no vulnerabilities in our app."