Qlik takes the security of our products seriously. We have a dedicated team of security experts working on testing, hardening and securing our products. We also work closely with external security companies, our customers and partners to ensure the security of our products is of the highest standard.
What do I do if I find a security vulnerability in a Qlik product?
Please report any security vulnerability concern to Qlik Support. For an accurate an detailed evaluation of a potential security vulnerability, it is important to clear describe the scenario in which a vulnerability has been exposed. This includes describing the steps for how security is compromised and what detail can be exposed by an attacker.
Notice, that generic test reports from 3rd auditing tools typically do not include detailed steps of vulnerability exposure in their security report. These reports commonly referring to potential risk based patterns, they do not actually expose a vulnerability as part of their system evaluation. Consequently this means that the default report details are not enough for Qlik to take any immediate action on based on the raised concern. Please consult 3rd party security auditor or local security expert for complete test case details before reporting support case with Qlik.
To enable qualified and efficient investigation and action by Qlik, please report each vulnerability concern as an individual support case with Qlik Support. This means that each concern raised in a 3rd party test report must be reported as a separate support case.
For each case consider adding as much detail as possible, in line with below items:
Qlik product name
Qlik product version
Test case subject/name (if based on test report)
Complete penetration test report (attach full report for reference)
Name of security tool used for testing
Details of how to replicate the vulnerability
Step by step description on how to expose vulnerability
Recording of reproduction
Supporting material, e.g. logs, traffic traces or screenshots