- If you are a customer or if you consult a Progress Telerik customer, please contact our Technical Support to report any discovered vulnerabilities.
- If you are a security researcher and you found a security vulnerability in a Telerik or Kendo UI product, please contact firstname.lastname@example.org to submit your report. If you have discovered an infrastructure vulnerability, please contact email@example.com.
- We recommend encrypting your email with our PGP public key, which can be found at the bottom of this page. Please firstname.lastname@example.org to report only undisclosed vulnerabilities. Once our security team receives your report, we will take the following steps:
- We respond to you within three business days.
- We ask you to keep any communication about the vulnerability confidential and give us time to investigate and mitigate the issue.
- Progress investigates and verifies the reported issue.
- Progress addresses the vulnerability and may need to release a product upgrade.
- Progress notifies you about the fix and gives you the opportunity to test it.
- Progress announces the vulnerability publicly in the release notes of the affected Telerik or Kendo UI product and/or through other channels. The release notes include a reference to the researchers who reported the issue, unless they requested anonymity.
To speed up the investigation and to provide a solution as soon as possible, we ask you to include the following information in your report, whenever applicable:
- All details about the product and environment:
- Product version
- Operating system
- Database type
- Any other relevant software required to reproduce the vulnerability
- Detailed instructions on how to reproduce the vulnerability:
- Step-by-step instructions or screenshots that show the vulnerability
- Examples of user-supplied input
- HTTP requests and responses
- CVSS Score
Our Commitment to Security Researchers
Progress recognizes the importance of security researchers in the effort to keep our products safe. Thank you for your contribution! Our commitment to you is to:
- Acknowledge the receipt of your vulnerability report in a timely manner.
- Notify you when the vulnerability is fixed and give you the opportunity to confirm it is fixed.
- Publicly thank you for your responsible disclosure and for helping us keep our products secure.
Guidelines and Confidentiality Requirements for Security Researchers
In carrying out research and testing on our products we ask that all security researchers follow these responsible disclosure guidelines:
- Your disclosure should not result from testing that (i) results in a degradation of Progress’ systems, (ii) results in you, or any third party, accessing, storing, sharing or destroying Progress or customer data, or (iii) may impact Progress’ customers, such as denial of service, social engineering or spam.
- Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
- If you inadvertently access proprietary customer, employee, or business-related information during your testing (“Data”), the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the Data must be declared within your disclosure,
- Any Data or information you receive or collect about Progress, its affiliates or any of their users, employees or agents in connection with your research or your disclosure (“Confidential Information”) must be kept confidential and only used in connection with the disclosure. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your disclosure, without Progress’ prior written consent.
Progress-Owned Telerik Websites
Third parties are prohibited from running automated scanners or attempting penetration tests or other forms of attack against Progress-owned Telerik websites. Progress conducts its own testing or contracts out to specific third parties for security scanning. If you want to perform security scanning of a Telerik or Kendo UI product, please do so on a copy of the product installed on a machine controlled by you. Vulnerabilities found by unauthorized scans of Progress Telerik websites will not be rewarded.
PGP Public Key
COPY PUBLIC KEY
-----BEGIN PGP PUBLIC KEY BLOCK-----
COPY PUBLIC KEY
-----END PGP PUBLIC KEY BLOCK-----