a good thing!
A Message from Our CISO
Ping Identity is a security company. As a security company, we know that the expectations are great and the stakes are high. Job one for security at Ping Identity is creating products and services that are secure, resilient and assured. Second is ensuring that Ping Identity’s business operations are secure and communicated. This starts by investing in the right people, processes and technologies, but it also requires a culture of security that permeates the entire organization. Every employee of Ping Identity understands the importance of our mission, and their role in fulfilling it.
To provide customers with assurance of our program, we’ve modeled our Information Security Management System (ISMS) on industry best practices and frameworks such as ISO 27001 and NIST 800-53. We provide assurance of the effectiveness of our security practices through ISO 27001 certification, SOC 2 and other independent third-party testing of both our products and control framework.
Thank you for taking the time to investigate our security program. Please reach out if you have any questions about the security of Ping Identity’s solutions or corporate practices. If you’d like to dig into the details, see our Security Practices white paper.
Robb Reck, CISO
Ping Identity values the security researcher community greatly and appreciates those who help us improve the security of our corporate systems, products and services. If you’re a security researcher and have discovered a security vulnerability in any of our systems, products or services, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond to, and address vulnerabilities in support of our commitment to security and privacy.
To that end, we have created a couple of different ways to engage with Ping to report vulnerabilities. First is responsibly disclosing directly to our Security Team by filing a support case. Second, in order to get more eyes on our products and services, we have created a bug bounty program that pays for in-scope vulnerabilities in our products and services.
Responsibly disclose to Ping directly:
This is available for any vulnerabilities, whether in Ping’s products or services, our corporate website (pingidentity.com), or any other Ping infrastructure or systems. Please do not publicly disclose these details outside of this process without explicit permission. In order for us to triage and respond to the report, we ask you include the following information in your report:
Click here to file a support case:
Participating in Ping's Product Bug Bounty:
We are thrilled to announce Ping’s public bug bounty, focused solely on Ping’s product and services. The goal here is to leverage the capabilities of the entire research community and get as many good guys looking for issues as possible. All details of the program, including in-scope systems, bounty amounts, and other rules of engagement are available on the bug bounty program landing page.
Click here to access our bug bounty program.
If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:
Certifications & Affiliations