A Message from Our CISO
Ping Identity is a security company. As a security company, we know that the expectations are great and the stakes are high. Job one for security at Ping Identity is creating products and services that are secure, resilient and assured. Second is ensuring that Ping Identity’s business operations are secure and communicated. This starts by investing in the right people, processes and technologies, but it also requires a culture of security that permeates the entire organization. Every employee of Ping Identity understands the importance of our mission, and their role in fulfilling it.
To provide customers with assurance of our program, we’ve modeled our Information Security Management System (ISMS) on industry best practices and frameworks such as ISO 27001 and NIST 800-53. We provide assurance of the effectiveness of our security practices through ISO 27001 certification, SOC 2 and other independent third-party testing of both our products and control framework.
Thank you for taking the time to investigate our security program. Please reach out if you have any questions about the security of Ping Identity’s solutions or corporate practices. If you’d like to dig into the details, see our Security Practices white paper.
CISO, Ping Identity
Ping Identity has created a responsible disclosure program as one avenue for identifying and remediating vulnerabilities within our products. If you’re a security researcher and have discovered a security vulnerability in any of our solutions, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond and address vulnerabilities in support of our commitment to security and privacy.
Share the details of any suspected vulnerabilities with Ping Identity’s Information Security Team by filing a support case. Please don’t publicly disclose these details outside of this process without explicit permission. In reporting any suspected vulnerabilities, please include the following:
Product name and version
Vulnerable URL: the endpoint where the vulnerability occurs
Vulnerable Parameter: if applicable, the parameter where the vulnerability occurs
Vulnerability Type: the type of the vulnerability
Steps to Reproduce: step-by-step information on how to reproduce the issue
Screenshots or video: a demonstration of the attack
Attack scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster
If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:
Establish a remediation timeline with a definite end date.
Disclose the vulnerability through our support page to best protect our customers (if in our customers’ best interest).
Certifications & Affiliations