Responsible Disclosure
Ping Identity values the security researcher community greatly and appreciates those who help us improve the security of our corporate systems, products and services. If you’re a security researcher and have discovered a security vulnerability in any of our systems, products or services, we appreciate your help in disclosing it to us privately and giving us an opportunity to address it before publishing technical details. We will validate, respond to, and address vulnerabilities in support of our commitment to security and privacy.
To that end, we have created a couple of different ways to engage with Ping to report vulnerabilities. First is responsibly disclosing directly to our Security Team by filing a support case. Second, in order to get more eyes on our products and services, we have created a bug bounty program that pays for in-scope vulnerabilities in our products and services.
Responsibly disclose to Ping directly:
This is available for any vulnerabilities, whether in Ping’s products or services, our corporate website (pingidentity.com), or any other Ping infrastructure or systems. Please do not publicly disclose these details outside of this process without explicit permission. In order for us to triage and respond to the report, we ask you include the following information in your report:
- System or product name and version (if applicable)
- Vulnerable URL: the endpoint where the vulnerability occurs
- Vulnerable Parameter: if applicable, the parameter where the vulnerability occurs
- Vulnerability Type: the type of the vulnerability
- Steps to Reproduce: step-by-step information on how to reproduce the issue
- Screenshots or video: a demonstration of the attack
- Attack scenario: an example attack scenario may help demonstrate the risk and get your issue resolved faster
- Log files
Click here to file a support case:
Participating in Ping's Product Bug Bounty:
We are thrilled to announce Ping’s public bug bounty, focused solely on Ping’s product and services. The goal here is to leverage the capabilities of the entire research community and get as many good guys looking for issues as possible. All details of the program, including in-scope systems, bounty amounts, and other rules of engagement are available on the bug bounty program landing page.
Click here to access our bug bounty program.
Our Commitment
If you identify a verified security vulnerability in compliance with this responsible disclosure program, Ping Identity commits to:
- Establishing a remediation timeline with a definite end date.
- Disclosing the vulnerability through our support page to best protect our customers (if in our customers’ best interest).
Certifications & Affiliations
ISO/IEC 27001:2013 Certification
Ping’s corporate office in Denver and our key products are ISO/IEC 27001:2013 certified. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by Coalfire ISO, Inc., a certification body for management systems accredited through the ANSI-ASQ National Accreditation Board (ANAB).
Established by the International Organization for Standardization (ISO), the standard requires the certification of an organization’s information security management controls for areas such as data security and business continuity. The certification extends to every level of an organization’s IT infrastructure stack, including asset management, access control, human resource security and application security.
The in-scope products for the ISO certification include PingOne, PingID, PingFederate, PingDirectory, PingAccess, PingDataSync and PingDataGovernance.
Service Organization Controls (SOC)
SOC Reports help customers build trust and confidence in Ping Identity’s control procedures via stringent verification and validation of Ping’s control activities and processes conducted by an independent Certified Public Accountant. The American Institute of Certified Public Accountants (“AICPA”) created the Service Organization Control Report framework replacing SAS 70 with SSAE 16.
The SOC 2 Report focuses on controls, called Trust Services Principles, related to security, availability, confidentiality, processing integrity and privacy - validating that the system is protected against unauthorized physical and logical access, for example. As with SAS 70 reports, an organization can receive either a Type I or a Type II report. Type I merely reports on the suitability of the controls, while Type II tests the effectiveness of the controls. Our SOC 2 Report focuses on the Security and Availability principles. The SOC 2 Report is available to customers and prospective customers upon request and execution of a Non-Disclosure Agreement (NDA). Please contact your Account Manager if you would like to have a copy of the report.
Information Systems Security Association, Denver Chapter
The Information Systems Security Association (ISSA) is an international not-for-profit organization of information security professionals and practitioners. It provides education forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members.
ISSA is the community of choice for international cybersecurity professionals dedicated to advancing individual growth, managing technology risk and protecting critical information and infrastructure. The Denver chapter has been recognized as the largest chapter in the world with over 500 members to date. The Denver chapter president is Ping Identity’s own Chief Information Security Officer, Robb Reck, and numerous Ping employees are active members. Visit www.denver.issa.org to learn more.
Cloud Security Alliance STAR Registry
The CSA Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
CSA STAR is open to all cloud providers, and allows them to submit self-assessment reports that document compliance to CSA-published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
Please visit Ping Identity’s member site for access to our CAI questionnaire.
FBI InfraGard
InfraGard members have access to an FBI secure communications network featuring an encrypted website, web mail, listservs and message boards. The website plays an integral part in the FBI’s information-sharing efforts to disseminate threat alerts and advisories, as well as to send out intelligence products from the bureau and other agencies.
There are 85 InfraGard chapters with a total of more than 35,000 members who work with the FBI through field offices to ward off attacks against critical infrastructure that can come in the form of computer intrusions, physical security breaches or other methods. These members represent state, local and tribal law enforcement, academia, other government agencies, communities and private industry. Ping Identity employees are affiliated with the InfraGard Denver Members Alliance (IDMA).
OWASP Member
The Open Web Application Security Project (OWASP) is a non-profit organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain applications that can be trusted. All of the OWASP tools, documents, forums and chapters are free and open to anyone interested in improving application security. They advocate approaching application security as a people, process and technology problem because the most effective approaches to application security include improvements in all of these areas. Visit www.owasp.org to learn more.
Shared Responsibility
When it comes to our cloud solutions, our commitment to security and compliance doesn't stop with us. We also work with our customers to ensure that our solutions remain secure. More information about our shared responsibility is available here.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo