Security Policy

Security Advisory Policy

Last Updated: June 7, 2024

Through collaboration with the Ping Identity community and our customers, we strive to address security vulnerabilities transparently and rapidly.

Our Ping Identity security advisory policy describes how our community can engage Ping Identity on a security issue, as well as the process Ping

Identity follows and the actions you can expect from us. Ping Identity customers should always raise a ticket with Ping Identity support for any security questions on our software. Ping Identity customers with questions that concern a code scanning report should refer to our Code Scanning Policy.

How to Submit a Security Issue to Ping Identity

If you discover a security issue that affects a Ping Identity product, please email the details to security@pingidentity.com with the following information:

How critical is the security issue?
How did you become aware of the security issue?
Did you discover the security issue yourself, or were you made aware of the issue through other means?
A summary of the issue should contain the product that is affected, how the product is affected, and any known workarounds.

Upon receipt of the email, we will initiate our security process and will keep you informed about the progress of the issue.

Receipt of the Security Exploit

When Ping Identity receives notification of a new exploit or security issue within a Ping Identity product, the process of evaluation and resolution of a potential security issue is described below.

Ping Identity uses the following three key areas when assessing any potential security issue; Criticality, Customer Impact and Publicity. They are assessed in this order of precedence

Criticality: Where does the exploit sit on the severity line? We use CVSS 3 scoring to determine the criticality.
Customer Impact: What is the potential impact to the customer
Publicity: Has the security issue been made public, is there an exploit that has also been made public?

If you have received an exploit, please read through the following table; the threat level is determined by following severity level criteria:

Severity Level

Criticality

Customer Impact

Publicity

Recommended Approach

Critical

Clear security risk without requiring existing access or accounts.

A risk exists that customer data could be exposed or system integrity compromised.

Details of an exploit is in the public domain.

Apply mitigations or patches as soon as possible.

High

Threat exists, but prior knowledge of deployment/machine access/specific functionality/accounts would be required to exploit.

There is no risk to customer data. No significant risk to system integrity.

Limited details of the issue, but the exploit is not in the public domain.

Assess the threat and apply mitigations or patches as appropriate.

Medium

Only a risk in certain limited circumstances such as specific deployment or configuration.

A successful exploit has limited impact on the environment, no risk to customer data or system integrity.

Known to specific individuals and/or organizations, not in the public domain.

Determine if your deployment is at risk and apply mitigations or patches as appropriate.

Low

Access to physical machine might be required to enable the exploit through configuration/ customisation changes.

Very limited risk to the environment.

Not in the public domain.

Apply the mitigations or patches in your next software update cycle.

The responsible engineering team is ultimately responsible for deciding the appropriate severity level for the reported issue based on the aforementioned criteria.

Escalation Path

Critical: All known details are sent to Ping Identity’s internal security team, and the affected engineering team is informed. The product security team is informed and starts to address the issue.
High: All known details are sent to Ping Identity’s internal security team. The affected engineering team and product security team is informed and starts to address the issue.
Medium/Low: Forward all details to the security alias to be covered in the next product management review meeting.

Product Security Team

Ping Identity’s Product Security team works with product management, support, professional services, and engineering. All reported issues are evaluated for mitigation or resolution of a security issue.

Publication Process and Timeline

Security Advisory

Once the security advisory has been approved for publication, a notification will be communicated via email and a knowledge base article is posted on the support portal. Anyone who has registered with the support portal will be able to access the contents of the security advisory.

Security Patches

Customers will gain access to all security patches, patch releases or maintenance releases for the issues described in the advisory at the time of publication.

CVE ID Publication

All security advisories are issued a corresponding CVE ID so security tools are able to scan and detect installations that need a security patch applied. CVE IDs are disclosed through the national vulnerability database (NVD) to keep customers safe.