Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Qlik Security Vulnerability Policy

100% helpful (2/2)
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Qlik Security Vulnerability Policy

Last Update:

Nov 10, 2022 3:15:52 AM

Updated By:

Sonja_Bauernfeind

Created date:

Aug 28, 2015 3:00:04 AM

Does Qlik have a defined security policy?

Qlik takes the security of our products seriously.  We have a dedicated team of security experts working on testing, hardening and securing our products.  We also work closely with external security companies, our customers and partners to ensure the security of our products is of the highest standard.  


Our Qlik Trust and Compliance Center provides details for compliance and security questions across all Qlik products. 

 

What do I do if I find a security vulnerability in a Qlik product?

Please report any security vulnerability concern to Qlik Support. For an accurate an detailed evaluation of a potential security vulnerability, it is important to clear describe the scenario in which a vulnerability has been exposed. This includes describing the steps for how security is compromised and what detail can be exposed by an attacker.

Notice, that generic test reports from 3rd auditing tools typically do not include detailed steps of vulnerability exposure in their security report. These reports commonly referring to potential risk based patterns, they do not actually expose a vulnerability as part of their system evaluation. Consequently this means that the default report details are not enough for Qlik to take any immediate action on based on the raised concern. Please consult 3rd party security auditor or local security expert for complete test case details before reporting support case with Qlik. 

To enable qualified and efficient investigation and action by Qlik, please report each vulnerability concern as an individual support case with Qlik Support. This means that each concern raised in a 3rd party test report must be reported as a separate support case.

For each case consider adding as much detail as possible, in line with below items:

  • Qlik product name
  • Qlik product version
  • Test case subject/name (if based on test report)
  • Complete penetration test report (attach full report for reference)
  • Name of security tool used for testing
  • Details of how to replicate the vulnerability
    • Step by step description on how to expose vulnerability
    • Recording of reproduction
    • Supporting material, e.g. logs, traffic traces or screenshots
  • Vulnerability impact
    • Type of information exposed
    • Unauthorized access to content
  • CVSS score if provided by security auditor
Labels (1)
Comments
RufusKirk
Contributor
Contributor

Thanks for your interesting post about Qlik's security policy! As stated in your post, Qlik takes security seriously and have invested in a dedicated team of security experts and have external security companies at their side.

MeganBriggs
Contributor
Contributor

Great post on Qlik's security policy and how to handle potential vulnerabilities. It's always important for companies to have dedicated teams and resources in place to ensure the security of their products.

Ken_T
Specialist
Specialist

If Qlik finds a security vulnerability in one of their products, how are customers notified?

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Ken_T 

I'll get back to you on this question.

All the best,
Sonja 

ppmc_united
Partner - Contributor II
Partner - Contributor II

Hi @Sonja_Bauernfeind 

in the meantime, is there an update on the question posed by @Ken_T "If Qlik finds a security vulnerability in one of their products, how are customers notified?"

TIA

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @ppmc_united and @Ken_T 

For security-related incidents, Qlik follows a Responsible Disclosure approach for any vulnerability that rates as High or Critical by our Software Security Office. This approach includes publishing a Security Bulletin to alert our customers and partners through a blog post, collaborating with the reporter of the vulnerability if applicable, creating software fixes as soon as possible, and/or providing mitigation until fixed.

Additional methods are being investigated, but no details or timeframe can be given at this point.

All the best,
Sonja 

Version history
Last update:
‎2022-11-10 03:15 AM
Updated by: