Security
As the Progress Chef team, we take security seriously. Whether it is the code we write, the software we use or the platform we provide, security is always important. We know that you rely on Chef to help grow and manage the critical moving pieces of your business. As such, we are committed to protecting your investment.
Responsible Disclosure Policy
Chef is a part of Progress, and our portfolio contains enterprise, hosted and open-source solutions for our customers’ and community’s DevSecOps needs. Our security policy is based on responsible disclosure and accountability to the organizations who entrust us with their workloads. Our priority is to ensure that our customers can use and operate our products securely at all times. We receive community-reported vulnerabilities as well and our commitment is to accept, triage and prioritize the engineering work needed to deliver our products at this quality bar.
Security information including certifications for all Progress products is available on our Progress site with responsible disclosure, we will not be publishing specific, unresolved vulnerabilities until customers have been afforded a chance to update their systems to the patched versions. In addition, we are asking our reporters also to follow this process. Please do not post details of security-related issues in open forums such as Slack, Teams or Discourse. If a security issue is posted in an open channel, we will move it to the right channel but will not update the original posting with any further information.
For privacy questions, Chef services operate under the Progress data protection and privacy standards described at the Progress Privacy Center.
Need to report a security bug or vulnerability?
If you find an issue or any other vulnerability to report, we certainly want to hear about it! If you are a current Chef customer, you can report issues through the Customer Support Portal.
If you are not currently a Chef customer, you can report issues through our Vulnerability Disclosure Program.
Our service level objectives (SLOs) are described on the Progress vulnerability reporting page we will typically ask that the reporter refrain from posting publicly about the issue for 90 days (embargoed communication). After the specific issue is fully estimated for a fix, we may return to the reporter with a revised embargo period. The embargo on public discussion is intended to allow time for us to develop fixes and for customers to adopt the fixes. When you report a security vulnerability, we will give you a tracking number into our backlog which can be used to inquire about status, and which will be in the final release notes accompany the specific product fix release and regularly published fixed CVE listings. It is in the best interest of our customers to get fixes for Chef tools and platforms quickly and in time to avoid any compromise of their security so we anticipate that our embargo will be measured in days and weeks, not months or years.
We track vulnerabilities using the CVE scoring system here: https://www.first.org/cvss/. Fixed vulnerabilities will be listed in the release notes for the product version when the fix is available. Customers with access to the support portal and specific partners under NDA will be able to receive updates on fixes being developed on a more frequent basis.
If the reported issue is deemed a non-security bug – for example, a new feature request – we’ll ensure it gets to the right product team.
Hosted services
For the services and applications which Chef operates on behalf of our customers and users, we operate under audited Progress standards and service descriptions can be accessed through the customer support portal.
If a security issue or vulnerability is found in any of our hosted services, please report it per the above process.
Chef Security Quality Assurance
We use many publicly available tools as well as Progress-developed tools to perform three types of QA on our products: Software Composition Analysis (SCA), Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).
Although we do not publish the specific results of these tools, tool recommendations are also triaged for each product and placed in appropriate backlogs. Similarly, since many of the Chef products are open source, we routinely run GitHub security tools and incorporate that feedback into our planning.
If you have a scan result from a publicly available tool and would like a consultation on its findings, please open a request in the Customer Support Portal.