Reporting Security Vulnerabilities

Back to Security

For Progress Customers:

At Progress we work diligently to identify and correct any security issues found in our products. Customers who believe they have identified a security issue or vulnerability in one of our products are advised to contact Technical Support in order to have an engineer evaluate and document a possible security issue for our engineering teams to confirm and remedy when appropriate. Customers wishing to report a suspected security vulnerability should contact Technical Support.

For Security Researchers:

Progress values its partnership with the security researcher community and encourages reports of suspected vulnerabilities in our web sites or products. Security Researchers and Ethical Hackers may submit suspected vulnerabilities via the submission form below, and we will make a best effort to meet the following response times.

Type of Response SLO in business days
First Response7 days
Time to Triage10 days
Time to Resolutiondepends on severity and complexity

Disclosure Policy

  • As this is a private program, please do not discuss any vulnerabilities (even resolved ones) without express consent from Progress.
  • Follow BugCrowd's disclosure guidelines.

Guidance Around Writing Effective Vulnerability Reports

  • Details around discovery methodology
    • Describe how the vulnerability was discovered
      • Tools, techniques, procedures
    • Include specific information around the target
      • Software versions, database types, etc
  • Accurate reproduction steps
    • Explicit instructions on how to induce the vulnerability
    • Details around any specific conditions required for the vulnerability to be triggered
  • Risk assessment information
    • Details risks associated with the discovered vulnerability
    • Provide context on how the vulnerability could be exploited
  • Additional tips for reports
    • Includes screenshots or scripts (if applicable)
    • Be clear and precise with reporting language

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Progress and our users safe!

Submit Vulnerability Report

You're about to submit a report to Progress. Provide as much information as possible about the potential issue you have discovered. The more information you provide, the quicker Progress will be able to validate the issue. If you haven't yet, please remember to review our Security Page.

Submit Vulnerability Report

Contact information

Privacy

Questions about Progress’ privacy practices and how we handle your personal data

privacy@progress.com

Copyrights

Use of Progress Software copyrighted materials or notice of copyright infringement

copyrights@progress.com

Trademarks

Questions about or requests to use Progress Software trademarks, logos or branding

trademarks@progress.com

General legal

legal@progress.com

Governance

bod@progress.com

Security

Questions about Security, Privacy, Compliance and Due Diligence

security@progress.com