How to get a response from Pega on pentest findings

MichaelK1674 · August 22, 2022, 6:26am

We had a pentest done and found vulnerabilities. I reported them in SR-117509. And pega was reacting to the findings.

We did a retest. Unfortunately two vulnerabilities are still open. I reported them to Pega 9 days ago. But I haven’t got any reaction from Pega to this. I started raising the findings as security incidents. Still no answer.

What can I do to have somebody in Pega closing those vulnerabilities?

MarijeSchillern · August 22, 2022, 10:36am

Hello @MichaelK1674 many thanks for alerting us to this issue.

I have checked the ticket SR-117509 which was reopened once you found the security issues. It was originally logged to notify the cloud team of your intended security tests.

I can see it was reopened once you found some issues. I believe that the correct support ticket to be referencing for the actual product investigation into your pentest results is INC-236134 which is also still open. That INC-236134 is a better ticket as it deals with a product issue, rather than a cloud service request.

I can shed some light on some of your concerns:

With regard to your concern about ckeditor 4.7.1 being out of date, please take a look at our response in this forum question: CKEEditor and Fusion Charts.

I can see that you have an open support ticket to help answer that question: INC-237977

With regard to your concerns about ‘The jQuery libraries in use are deprecated’ , please take a look at our response in this forum question: Can we upgrade JQuery and JQuery UI libraries in 8.2.8 to latest versions.

jquery has been upgraded to 3.6.0 and jquery UI to 1.13.1 in Pega 8.7.1 So either on 8.7.1 or 8.7.2 you should be on jquery version 3.6.0. Now the question is what went wrong as it should be 3.6.0. The investigation will require evidence that 3.2.1 is still there - I can see that you have logged INC-237837 where support is helping investigate this particular issue.

Also, can you please confirm that you checked the following document which contains complete instructions on security testing requirements?

https://docs-previous.pega.com/pega-cloud/cloud/vulnerability-testing-policy-applications-pega-cloud

MichaelK1674 · August 26, 2022, 6:46am

@MarijeSchillern Thanks for your help. I can confirm that we were looking for the instructions on security testing and therefore we choose staging-environment, we announced the test and I handed over the result.

After rising this question I got a response on a short notice - after I was not able to get any reaction on security findings for 9 days. At present I am trying to arrange a meeting between the pentester and pega support. Pentester proposed several dates. Hopefully at least one will be convinient for Pega support.

I don’t want to go into details in the public of security findings in our pega cloud installation. Therefore you may close this question.

Conversation		Replies	Views
Pent test finding for Vulnerable software in Pega application General security , data-integration , testing-applications , 8-7-4	1	95	May 15, 2024
Code scanning for third party Packages General pega-platform , lead-system-architect , security , installation-and-deployment , cross-industry	1	249	March 21, 2022
Vulnerability testing process for application on premise General pega-platform , solutions-engineer , security , testing-applications , performance , 8-8-5	5	250	December 18, 2024
Seeking API details to fetch Pega INC tickets and their associated issue information General pega-platform , dx-api , platform	3	52	March 17, 2025
Hotfix ID for C26 Security advisory for PEGA 8.7.5 General citizen-developer , security , case-management , communications-and-media , all-products , pega-infinity	1	26	February 28, 2026

How to get a response from Pega on pentest findings

Related topics