Progress OpenEdge Security Guidelines
Last Updated: 22 October 2019
DISCLAIMER: Note these guidelines are meant to outline Progress’ general protocols for handling security vulnerabilities and are not intended to be exhaustive or all-inclusive. At times, there may be circumstances that necessitate different action than detailed below and Progress may utilize its experience and expertise to exercise judgment to take alternative actions. All customers and end users should refer to their respective applicable End User License Agreement for any contractual obligations.
These Progress OpenEdge Security Guidelines outline the general principles under which Progress manages the reporting, management, discussion, and disclosure of Vulnerabilities discovered in OpenEdge software and related components.
These Security Guidelines use the ISO 27005 definition of Vulnerability: "A weakness of an asset or group of assets that can be exploited by one or more threats.", where an asset is anything that has value to the organization, its business operations and their continuity, including information resources that support the organization's mission.
2. OpenEdge Security Team
The Progress OpenEdge Security Team is the first line of defense, using its security expertise to identify and triage reported vulnerabilities. The Security Team will assess and monitor security issues in a transparent way with OpenEdge Product Management. It will seek to control risk and exposure to customers who use OpenEdge products. The remediation of security issues resides with the OpenEdge engineering teams who resolve vulnerabilities under the direction of the OpenEdge Security Team and using industry best practices.
If you are a Progress customer or partner, please use the Progress OpenEdge Support site to open a support case for any security vulnerability you believe you have discovered in OpenEdge product(s).
If you are not a customer or partner, please report your discovery using firstname.lastname@example.org email address. This email address should only be used for the purpose of reporting undisclosed Vulnerabilities. All other issues will be ignored. Please contact OpenEdge Technical Support for all other issues and questions not related to Security Vulnerabilities.
We recommend you encrypt your email using our PGP public key listed at the bottom of this page.
All reported or internally discovered vulnerabilities will be assessed and scored by the OpenEdge Security Team according to the latest published standard of the Common Vulnerability Scoring System (CVSS) provided by the National Infrastructure Advisory Council (NIAC).
A security vulnerability may - at the discretion of the Security Team or Product Management - be escalated to an outside body such as the Computer Emergency Response Team (CERT) of the Software Engineering Institute (SEI).
A reported or internally discovered vulnerability is considered resolved when either:
- A security update is provided
- A workaround is made available or is identified and communicated to OpenEdge customers
- It is determined that a fix is not possible or desirable
- It is determined that a reported vulnerability is not actually a vulnerability
A vulnerability that is unfixable through any manner of timeliness in accordance with these OpenEdge Security Guidelines will be disclosed based on protocol described in the “Timing” section of this document.
Once a Vulnerability has been resolved, the Security Update announcement will be posted on this site and the security update will be made available to all OpenEdge customers via the Download Center. Customers with an active maintenance agreement will also be notified by Progress Technical Support.
Disclosure, including a summary of the security assessment, is initially limited to the reporter but may be expanded, at the discretion of Progress, to include other customers and/or security experts for the purposes of soliciting subject-matter help or advice. The intent of disclosing any information about security vulnerabilities is always to minimize risk and exposure of our customers’ computing assets.
All reported vulnerabilities that are assessed above a CVSS score of zero will be disseminated using a Responsible Disclosure approach. This approach avoids the risk of sharing all vulnerability information prematurely or to any excess that could be used by malicious parties to exploit OpenEdge applications before a corrective action can be taken by the product users.
Typically, Public Disclosure of a vulnerability is announced with an accompanied patch or remediation instruction. However, Progress may determine at times that users and/or administrators of OpenEdge software should be made aware of a vulnerability in advance so that they can assess their own risk, and take appropriate action to protect potentially vulnerable software, users, servers and systems. Customers with an active maintenance contract may receive notice of or mitigation instructions for a known vulnerability in advance of a patch in one of two ways:
- Product Alert: Through the Product Alert Customer Portal when the CVSS assessment is rated below 9.
- Critical Alert: Through a Progress outreach campaign of email communication to customers and partners when the CVSS assessment is rated at 9 or above.
The timing of disclosure is left to the discretion of the OpenEdge Security Team and Product Management and is in line with Responsible Disclosure approach and the following guidelines:
- Vulnerabilities for which there is a Security Update, workaround or fix, should be disclosed to all customers with active maintenance contract immediately.
- All Vulnerabilities - regardless of state - should be disclosed to all customers with active maintenance contract no later than three months after being assessed and scored.
Vulnerabilities need not necessarily be resolved at the time of disclosure.
Progress values the members of the independent security research community who find security vulnerabilities and work with us so that security fixes can be issued to all OpenEdge customers. Our policy is to credit all researchers in the Security Update announcement when a fix for the reported security vulnerability is issued. In order to receive credit, security researchers must follow Responsible Disclosure practices, including:
- They do not publish the vulnerability prior to Progress releasing a fix for it
- They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code
Progress does not credit employees or contractors of Progress and its subsidiaries for vulnerabilities they have found.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----