Qlik Product Security and Vulnerability Policy

Sonja_Bauernfeind · Oct 9, 2025 8:21:29 AM

Does Qlik have a defined security policy?

Qlik takes product security seriously. We have a dedicated team of security experts working on testing, hardening and securing our products. We also work closely with external security companies, our customers and partners to ensure the security of our products is of the highest standard.

Our Qlik Trust and Compliance Center provides details for compliance and security questions across all Qlik products.

What do I do if I find a security vulnerability in a Qlik product?

Please report any security vulnerability concerns to Qlik Support. For an accurate and detailed evaluation of a potential security vulnerability, it is important to clearly describe the scenario in which a vulnerability has been exposed. This includes describing the steps for how security is compromised and what details can be exposed by an attacker.

Notice that generic test reports from 3rd auditing tools typically do not include detailed steps of vulnerability exposure in their security report. These reports commonly refer to potential risk-based patterns; they do not actually expose a vulnerability as part of their system evaluation. Consequently, this means that the default report details are not enough for Qlik to take any immediate action based on the raised concern. Please consult a third-party security auditor or local security expert for complete test case details before reporting a support case with Qlik.

To enable qualified and efficient investigation and action by Qlik, please report each vulnerability concern as an individual support case with Qlik Support. This means that each concern raised in a 3rd party test report must be reported as a separate support case.

For each case, consider adding as much detail as possible, in line with the following items:

Qlik product name
Qlik product version
Test case subject/name (if based on test report)
Complete penetration test report (attach full report for reference)
Name of the security tool used for testing
Details of how to replicate the vulnerability
- Step-by-step description of how to expose a vulnerability
- Recording of reproduction
- Supporting material, such as logs, traffic traces, or screenshots
Vulnerability impact
- Type of information exposed
- Unauthorized access to content
CVSS score if one is provided by a security auditor
CWE (Common Weakness Enumeration) classification, if one is provided

RufusKirk · ‎2023-01-30

Thanks for your interesting post about Qlik's security policy! As stated in your post, Qlik takes security seriously and have invested in a dedicated team of security experts and have external security companies at their side.

MeganBriggs · ‎2023-01-30

Great post on Qlik's security policy and how to handle potential vulnerabilities. It's always important for companies to have dedicated teams and resources in place to ensure the security of their products.

Ken_T · ‎2023-08-02

If Qlik finds a security vulnerability in one of their products, how are customers notified?

Sonja_Bauernfeind · ‎2023-08-03

Hello @Ken_T

I'll get back to you on this question.

All the best,
Sonja

ppmc_united · ‎2023-09-06

Hi @Sonja_Bauernfeind

in the meantime, is there an update on the question posed by @Ken_T "If Qlik finds a security vulnerability in one of their products, how are customers notified?"

TIA

Sonja_Bauernfeind · ‎2023-09-18

Hello @ppmc_united and @Ken_T

For security-related incidents, Qlik follows a Responsible Disclosure approach for any vulnerability that rates as High or Critical by our Software Security Office. This approach includes publishing a Security Bulletin to alert our customers and partners through a blog post, collaborating with the reporter of the vulnerability if applicable, creating software fixes as soon as possible, and/or providing mitigation until fixed.

Additional methods are being investigated, but no details or timeframe can be given at this point.

All the best,
Sonja

ArmaganYali · ‎2025-06-24

Hello @Sonja_Bauernfeind

As a result of the customer's security team's checks, CVE-2025-32433 Erlang / OTP was found on the server where Nprinting was installed last week. But now we are faced with a new vulnerability code. We could not find any information or documentation about it.

Old vulnerability code: CVE-2025-32433
New vulnerability code: CVE-2025-4748

The customer is using the February 2024 SR3 NPrinting version. Which version fixes this vulnerability?

I opened a case with Qlik Support but they said that if I contact you through this article, an engineer will be assigned to this case and you can contact me for further technical assistance.

Regards,
Armağan

Sonja_Bauernfeind · ‎2025-06-24

Hello @ArmaganYali

I believe this is misunderstood.

This article is for your reference, not meant to be where you get support. It is meant to give you more information and let you know what sort of information you need to send to support. An engineer will work with you on the case directly. Please communicate with the engineer directly in your case. From what I can see it has already been assigned.

All the best,
Sonja

ArmaganYali · ‎2025-06-24

Ok, I probably misunderstood.
Thank you @Sonja_Bauernfeind