Along with our corporate security measures, Progress DataDirect emphasizes transparency, proactivity, and responsiveness in our security policies and practices. To increase transparency, we have a comprehensive statement-of-quality report available for any product build that you plan to adopt. This report provides confidence to direct end users, and information that will accelerate the release process for ISVs. More specifically these reports include:
Progress DataDirect utilizes industry standards like OWASP SAMM (Software Assurance Maturity Model) to regularly audit and emphasize a secure development lifecycle. These compliance audits make sure that our internal security practices stay robust and trustworthy.
While many aspects of the secure development lifecycle are internal, we are ultimately focused on our principles of providing transparency, trust, and secure products to our customers. Below are just a subset of examples of how we achieve this:
Progress DataDirect SOC2 Certification.
SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based
on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.
Progress DataDirect ISO 20243 Certification.
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product
life cycle.
Upon identification of any security vulnerability, Progress DataDirect will exercise commercially reasonable efforts to address the vulnerability in accordance with the following policy:
Priority* | Time Guideline | Version(s) |
---|---|---|
High Risk (CVSS 8+ or industry equivalent) | 30 days | Active (i.e. latest shipping version) and all Supported versions |
Medium Risk (CVSS 5-to-8 or industry equivalent) | 180 days | Active (i.e. latest shipping version) |
Low Risk (CVSS 0-to-5 or industry equivalent) | Next major release or best effort | Active (i.e. latest shipping version) |
* Priority is established based on the current version of the Common Vulnerability Scoring System (CVSS), an open industry standard for assessing the severity of computer system security vulnerabilities. For additional information on this scoring system, refer to https://en.wikipedia.org/wiki/CVSS.