Security at Ping Identity

Security at Ping Identity

A Message from Our CISO

Ping Identity is a security company. As a security company, we know that the expectations are great and the stakes are high. Job one for security at Ping Identity is creating products and services that are secure, resilient and assured. Second is ensuring that Ping Identity’s business operations are secure and communicated. This starts by investing in the right people, processes and technologies, but it also requires a culture of security that permeates the entire organization. Every employee of Ping Identity understands the importance of our mission, and their role in fulfilling it.


To provide customers with assurance of our program, we’ve modeled our Information Security Management System (ISMS) on industry best practices and frameworks such as ISO 27001 and NIST 800-53. We provide assurance of the effectiveness of our security practices through ISO 27001 certification, SOC 2 and other independent third-party testing of both our products and control framework.


Thank you for taking the time to investigate our security program. Please reach out if you have any questions about the security of Ping Identity’s solutions or corporate practices. If you’d like to dig into the details, see our Security Practices white paper.



Robb Reck

CISO, Ping Identity

Responsible Disclosure

Ping Identity values the security researcher community greatly and appreciates those who help us improve the security of our corporate systems, products and services. If you’re a security researcher and have discovered a security vulnerability in any of our systems, products or services, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond to, and address vulnerabilities in support of our commitment to security and privacy.


To that end, we have created a couple of different ways to engage with Ping to report vulnerabilities. First is responsibly disclosing directly to our Security Team by filing a support case. Second, in order to get more eyes on our products and services, we have created a bug bounty program that pays for in-scope vulnerabilities in our products and services.

Responsibly disclose to Ping directly:

This is available for any vulnerabilities, whether in Ping’s products or services, our corporate website (, or any other Ping infrastructure or systems. Please do not publicly disclose these details outside of this process without explicit permission. In order for us to triage and respond to the report, we ask you include the following information in your report:

  • System or product name and version (if applicable)
  • Vulnerable URL: the endpoint where the vulnerability occurs
  • Vulnerable Parameter: if applicable, the parameter where the vulnerability occurs
  • Vulnerability Type: the type of the vulnerability
  • Steps to Reproduce: step-by-step information on how to reproduce the issue
  • Screenshots or video: a demonstration of the attack
  • Attack scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster
  • Log files

Click here to file a support case:  


Participating in Ping's Product Bug Bounty:

We are thrilled to announce Ping’s public bug bounty, focused solely on Ping’s product and services. The goal here is to leverage the capabilities of the entire research community and get as many good guys looking for issues as possible. All details of the program, including in-scope systems, bounty amounts, and other rules of engagement are available on the bug bounty program landing page.

Click here to access our bug bounty program.

Our Commitment

If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:  

  • Establishing a remediation timeline with a definite end date.
  • Disclosing the vulnerability through our support page to best protect our customers (if in our customers’ best interest).

Certifications & Affiliations

ISO Logo

ISO/IEC 27001:2013 Certification

Ping’s corporate office in Denver and our key products are ISO/IEC 27001:2013 certified. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by Coalfire ISO, Inc., a certification body for management systems accredited through the ANSI-ASQ National Accreditation Board (ANAB).


Established by the International Organization for Standardization (ISO), the standard requires the certification of an organization’s information security management controls for areas such as data security and business continuity. The certification extends to every level of an organization’s IT infrastructure stack, including asset management, access control, human resource security and application security.


The in-scope products for the ISO certification include PingOne, PingID, PingFederate, PingDirectory, PingAccess, PingDataSync and PingDataGovernance.


Service Organizations Logo

Service Organization Controls (SOC)

SOC Reports help customers build trust and confidence in Ping Identity’s control procedures via stringent verification and validation of Ping’s control activities and processes conducted by an independent Certified Public Accountant. The American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework replacing SAS 70 with SSAE 16.


The SOC 2 Report focuses on controls, called Trust Services Principles, related to security, availability, confidentiality, processing integrity and privacy - validating that the system is protected against unauthorized physical and logical access, for example. As with SAS 70 reports, an organization can receive either a Type I or a Type II report. Type I merely reports on the suitability of the controls, while Type II tests the effectiveness of the controls. Our SOC 2 Report focuses on the Security and Availability principles. The SOC 2 Report is available to customers and prospective customers upon request and execution of a Non-Disclosure Agreement (NDA). Please contact your Account Manager if you would like to have a copy of the report.

ISSA Denver, Colorado Logo

Information Systems Security Association, Denver Chapter

The Information Systems Security Association (ISSA) is an international not-for-profit organization of information security professionals and practitioners. It provides education forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.


ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure. The Denver chapter has been recognized as the largest chapter in the world with over 500 members to date.  The Denver chapter president is Ping Identity’s own Chief Information Security Officer, Robb Reck, and numerous Ping employees are active members. Visit to learn more.


Cloud Security Alliance STAR Registry

The CSA Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.


CSA STAR is open to all cloud providers, and allows them to submit self-assessment reports that document compliance to CSA-published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.


Please visit Ping Identity’s member site for access to our CAI questionnaire.

FBI InfraGard Logo

FBI InfraGard

InfraGard members have access to an FBI secure communications network featuring an encrypted website, web mail, listservs and message boards. The website plays an integral part in the FBI’s information-sharing efforts to disseminate threat alerts and advisories, as well as to send out intelligence products from the bureau and other agencies.


There are 85 InfraGard chapters with a total of more than 35,000 members who work with the FBI through field offices to ward off attacks against critical infrastructure that can come in the form of computer intrusions, physical security breaches or other methods. These members represent state, local and tribal law enforcement, academia, other government agencies, communities and private industry. Ping Identity employees are affiliated with the InfraGard Denver Members Alliance (IDMA).


OWASP Member

The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.


OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted. All of the OWASP tools, documents, forums and chapters are free and open to anyone interested in improving application security. They advocate approaching application security as a people, process and technology problem because the most effective approaches to application security include improvements in all of these areas. Visit to learn more.

Take the Next Step

See how Ping can help you stay ahead of the curve in a rapidly evolving digital world.