Responsible Disclosure Policy

Pega believes independent security researchers play a valuable role in internet security, and we encourage responsible reporting of any vulnerabilities that may be found on our site or in our applications.
 
Registered clients or those working on behalf of a registered client, please report vulnerabilities via a Service Request (SR) on MySupport Portal at https://msp.pega.com.
 
Other stakeholders, please email security@pega.com or leave voicemail at +1 857-856-2100.

Responsible Research and Disclosure

If you are testing a Pega platform instance hosted in Pega Cloud, you must comply with the Pega Cloud Vulnerability Testing Policy: https://community.pega.com/knowledgebase/articles/pega-cloud/vulnerability-testing-policy-applications-pega-cloud-services.
 
Do not perform harmful activities as part of your security research, including but not limited to denying or degrading service to production systems, viewing or copying confidential personal or business data without permission, modifying or deleting data, using accounts that you are not authorized to use, or performing phishing or "social engineering" without permission.
 
Do not request compensation for security vulnerability reports. Pega does not offer bug bounties.

Pega's responsible disclosure process entails a 90-day embargo period during which we verify and fix the vulnerability before you disclose it to any third parties.
 
Please make your report as complete as possible, including HTTP requests and responses. We reserve the right to disregard vulnerability reports that have insufficient evidence to reproduce.

Submitting the Report

Please write your report in English. Include as much detail as possible to enable us to quickly confirm the vulnerability. The full version number of the Pega platform and an HTTP request/response pair demonstrating the vulnerability are usually necessary. Please be sure to redact any sensitive information from your technical report.
 
Please include contact information so we can contact you directly. If you do not wish to be contacted, that is acceptable but may impede our ability to investigate and correct the vulnerability.

How We Will Respond

If you follow the above guidelines, Pegasystems will regard your vulnerability report as responsible and will make a good faith effort to confirm and correct the vulnerability. Pega will not pursue legal action against, nor request law enforcement investigation of, researchers who follow the responsible disclosure policy.
 
We will contact you within 5 business days to confirm your report has been received and read.
 
We will attempt to replicate the vulnerability and will inform you of our findings. We may request clarification or additional information from you to expedite reproducing the vulnerability. We will triage the vulnerability, assign a CVSS score, and notify you of the score. If a potential vulnerability is confirmed and is determined to represent a significant security risk, Pega will notify impacted customers and then publish a CVE as appropriate.
 
Within 90 days after receiving your report, we will notify Pega customers as appropriate, so they can protect their systems.
 
If we publish an official security bulletin or advisory, including a CVE, we will acknowledge you as the discoverer of the vulnerability, unless you request anonymity.