Progress’ Security Practices for Vulnerability Communications and Remediation

See Progress’ security practices for vulnerability communications and remediation, especially in relation to recent U.S. Cybersecurity Infrastructure Security Agency news.

On March 15, 2023, the U.S. Cybersecurity Infrastructure Security Agency (CISA) announced it was exposed to a cyber-attack that exploited an unpatched 2019 vulnerability (CVE-2019-18935) on their Telerik user interface (UI). For Telerik customers who may have not already done so, we’re again strongly urging you to follow the published remediation guidance and instructions to address this vulnerability. As always, we encourage that all our customers follow and maintain a patching process to help ensure the security of their products.

Progress places the highest importance on the security of our products in order to protect our customers and their systems; and you can learn more about our vulnerability remediation and customer notification process below. We employ a variety of procedures and tools to identify vulnerabilities, remediate them as soon as possible and effectively communicate the urgency for customers to apply software upgrades.

Progress embraces Responsible Disclosure through which security defects may be discovered and reported by independent Security Researchers. You can learn more about our vulnerability disclosure process and policy here.

As we do with all vulnerabilities found in our products, we issue notification and remediation guidance to our customers through our email notification system. For critical vulnerabilities with a highly rated CVSS score, we will notify all past and present customers, regardless of license status, and encourage them to follow the recommended remediation steps. In addition, articles on our public-facing knowledge base, blogs, forums and community pages are published and technical support is available as needed. The security of our customers is one of our highest priorities, and we continue to distribute periodic reminders on the importance of implementing patches and applying software upgrades.

Progress seeks to be proactive and prevent all security defects from appearing in any of our products through our secure development lifecycle (SDLC) processes. Furthermore, all Progress employees are required to complete role-specific courses in Security Awareness and Secure Code Development Training, and the proper handling of confidential and personal data including compliance with data privacy regulations (e.g., GDPR, HIPAA, etc.).

For useful tips and resources on how to tighten the security of the Telerik ASP.NET AJAX controls, you can read more here.

For any questions, you can contact us via the support ticketing system. If you don’t have an active license, you can reach out to Telerik support by opening a General Feedback ticket.