u1

Vulnerability Disclosure Policy

The security and integrity of our products is our priority. At Progress Software, we value everyone's privacy and safety. That’s why we are grateful for the investigative work that led you here.

We continuously improve not only the features of our products but also their security. For that reason, we encourage our clients to upgrade their products whenever there is a chance. If a vulnerability has been fixed in a later version, Progress recommends that customers upgrade their Telerik or Kendo UI product at least to the version that contains the fix.

Procedure


  • If you are a customer or if you consult a Progress Telerik customer, please contact our Technical Support to report any discovered vulnerabilities.
  • If you are a security researcher and you found a security vulnerability in a Telerik or Kendo UI product, please contact teleriksecurity@progress.com to submit your report. If you have discovered an infrastructure vulnerability, please contact informationsecurity@progress.com.
  • We recommend encrypting your email with our PGP public key, which can be found at the bottom of this page. Please teleriksecurity@progress.com to report only undisclosed vulnerabilities. Once our security team receives your report, we will take the following steps:
  1. We respond to you within three business days.
  2. We ask you to keep any communication about the vulnerability confidential and give us time to investigate and mitigate the issue.
  3. Progress investigates and verifies the reported issue.
  4. Progress addresses the vulnerability and may need to release a product upgrade.
  5. Progress notifies you about the fix and gives you the opportunity to test it.
  6. Progress announces the vulnerability publicly in the release notes of the affected Telerik or Kendo UI product and/or through other channels. The release notes include a reference to the researchers who reported the issue, unless they requested anonymity.

Vulnerability Report


To speed up the investigation and to provide a solution as soon as possible, we ask you to include the following information in your report, whenever applicable:

  • All details about the product and environment:
    • Product version
    • Operating system
    • Database type
    • Any other relevant software required to reproduce the vulnerability
  • Detailed instructions on how to reproduce the vulnerability:
    • Step-by-step instructions or screenshots that show the vulnerability
    • Examples of user-supplied input
    • HTTP requests and responses
  • CVSS Score

Our Commitment to Security Researchers


Progress recognizes the importance of security researchers in the effort to keep our products safe. Thank you for your contribution! Our commitment to you is to:

  • Acknowledge the receipt of your vulnerability report in a timely manner.
  • Notify you when the vulnerability is fixed and give you the opportunity to confirm it is fixed.
  • Publicly thank you for your responsible disclosure and for helping us keep our products secure.

Guidelines and Confidentiality Requirements for Security Researchers


In carrying out research and testing on our products we ask that all security researchers follow these responsible disclosure guidelines:

  • Your disclosure should not result from testing that (i) results in a degradation of Progress’ systems, (ii) results in you, or any third party, accessing, storing, sharing or destroying Progress or customer data, or (iii) may impact Progress’ customers, such as denial of service, social engineering or spam.
  • Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
  • If you inadvertently access proprietary customer, employee, or business-related information during your testing (“Data”), the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the Data must be declared within your disclosure,
  • Any Data or information you receive or collect about Progress, its affiliates or any of their users, employees or agents in connection with your research or your disclosure (“Confidential Information”) must be kept confidential and only used in connection with the disclosure. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your disclosure, without Progress’ prior written consent.

Progress-Owned Telerik Websites


Third parties are prohibited from running automated scanners or attempting penetration tests or other forms of attack against Progress-owned Telerik websites. Progress conducts its own testing or contracts out to specific third parties for security scanning. If you want to perform security scanning of a Telerik or Kendo UI product, please do so on a copy of the product installed on a machine controlled by you. Vulnerabilities found by unauthorized scans of Progress Telerik websites will not be rewarded.

PGP Public Key


COPY PUBLIC KEY

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBF+7r9wBDAC4JwdHaHqEdroc6W6wjD2Zo5+ut2Vo7aHM+sa6QUHsvK1CQ5Hj HspgGmxO8oFkrkTi6H9T+5v10/KOsr1eY3FgdnKD/IfUsleIhCq0VrapXcW+A0TY LG0CCc6rU78yDOAiD2nj8kc7r3qo0QLaxd3OOWqpTXnoyKNIJMQjsRqWnBBH2V0O SwURKwNPyL3wqeEnm8HmIGYfa9xvtgA8O48o0W+AmUNRqcmEUNIjEXqiJ9PG6ZPv zLJdSGQrO7icxyTTlSurJr72366VxuVNA/oGtfcEM1YHn/xo4PuSFSbvsoz6ybCn E1qzZlk9ieMRQhQog2lCAOc70oevaI6bUpT7QahUe9Yz1w0A9/AXSfCVoBGYl6GK 5/rgijUpQY+sWl+aiT39W2Bw+gcXipPaLoCwyyWqqYPTOaXdzTLdnuCuvaveSypm ljdsGpxDv5yuHMQS/JJNA3c/8MgrykwXnOt89DVyC1KEuVn1vaE3cm+ATPHyOA4o o1acnVdrsOXMV5EAEQEAAbRNVGVsZXJpayBTZWN1cml0eSAoVGVsZXJpayBTZWN1 cml0eSBAIFByb2dyZXNzKSA8dGVsZXJpa3NlY3VyaXR5QHByb2dyZXNzLmNvbT6J Ac4EEwEIADgWIQQWtyxvXoduX52tmDy52bBs8o/ucQUCX7uv3AIbAwULCQgHAgYV CgkICwIEFgIDAQIeAQIXgAAKCRC52bBs8o/uceEWC/9aKLxjU7QoGZ/cRQJS9RCH norwyv0rMiocP+v3MR31KvNUjOh7QWURDbdEW+mEQPq/vr1NgtGomhXTCvg8/WSU 3ultR0ZdFdvutIPifVfkv5nKr11acx6XmKG0dAdWusGr/SqirM+NX6xcmsC8rnhA QBCyz7hB0YjtOGlwaR2/mMoRpdWryS33eu5eJ+DpHzoQ+nlgG/VPWNpRfSj1m9GP XvcWzQ0BYD5gTC582KgxX0oZfeGXs7YOoY+nzrHL1Kcv+6sQyDJlJzOHkPK7eh9F StBTBRrgQFGy1gw38m1gX55ktJ7FcknrNm2Jf+eI8BpjeiHK0Gvxxo6y+1qQ93kM Yk7Zzgv5Xg4Cp+dJQGtqiUN2+EJtoZbkEo3edoyPoZvh53g8zmC9DAPX5C11+sQS PQLKgbXtxK4BZ9iTx4wDUu3FEKbKRwbfnBzsCVP5yMwZVakOWVAXdteIQjX5OA3Y qFWIH9A9DTfbp3ENwztp6RAuWn3aKOF5SrxT90Ahfyi5AY0EX7uv3AEMAO7QmcCi UNAftyQ1BxliEF92LsfpxDXP05gABgG9qE7whuDZKPcKCkuCpfyDVmdYopEoXK2p H87B4Xc2tdCqBuczsX2Kids5Df69Fb/o+x/7P0GY385qYzG5x9ZAPw1+vdPVIk5h Qe//NySLkfonDG4fkShQ8RMKGJB6njDhOjWmuFDnJQkdR00zHGMKYXDHh7nzAiVb /HPnv02B3Fmk18wum3+G8V3YWJrYXhTZJktL6HHxQhcaJIhRe9bKqVvAo1fm5yJg Pv77bpuujTJ/Oc1b8mLMEXM1Z4de1j+Rrls7OFkllKsEKAUnC02yqQzf7n5hO12Y 9tKheyHucRwQ1+Lt3cK9XFbab3M4rV0p33aWYAKjhNiL1jJcp0W8WtEgMJXINIEk LTSSU93v18xGf7iCw5FgiddTOIBY6ufISHUDQFRFdogo9GnM84LaBEycJu2qEAAD m43XAdIQjyQVF70v/wvUA5nBpG683X7feX8iWi1JVY8s2IUPGaZMuHj7wQARAQAB iQG2BBgBCAAgFiEEFrcsb16Hbl+drZg8udmwbPKP7nEFAl+7r9wCGwwACgkQudmw bPKP7nF9iQv+J43uE4Qjno0rAS8aG730ZwFQBFk4tsiQPoRESEdAA+E1RJm0TLTB GYeyDitpKuNR2wtViCNesdHkF3uITEmntrCCrJDrqNsPV8H2v9VBvKQy1UFeeUin X+JigKy/AF8TOen8XVarzzU2dPCu6frGu+toGSN7zLnLS5YWFMZiP7vhGEYNv/lf U5fOHlWnGUZW8Fg8UJDUCJ4YbBu1k+8dNjgVSd3YXXXmudjYe/GqFYfF/3zxe2F7 rKnUO7o/gYEa7IeWwQWT1OmT+TkWl/oxqG5sLNsdrvDv2UqMeDPPYkIxc9NK/lOP 1sxC/jRkrhBXx/Doqib5BLx2Y4nrLLAt0b5RyV6Bdr4Y3PAvOajwzGsDf3imlY34 jKdv4AiFpF1qeLwQ/InwuyyJx7DUuOkE/PsAaykPrpYJ6x6Z8mTP6r+4Fr84hVNP TiAwTpQYFYvGs+oNK+qdIGDkbl/Udbu2wwkutfrX2xhFtWTr7ET96YTgaB3Ga6JS i2DEZv8AN56m =ltlK

-----END PGP PUBLIC KEY BLOCK-----

COPY PUBLIC KEY