This blog post was co-authored by Peter Lefkowitz, Chief Privacy and Digital Risk Officer.

Security is one of our top priorities at Citrix, and we are committed to tackling security vulnerabilities to help keep our customers running smoothly. As part of this commitment and to help our stakeholders stay up to date in a constantly changing security environment, we’ve added a Vulnerability Response section to our Citrix Trust Center.

In the Vulnerability Response section, you’ll find:

  • Details on how Citrix handles reported security vulnerabilities
  • Guidance on how to report and follow up on vulnerabilities
  • Criteria and other details about our patch “pre-notification” program
  • How to stay up to date on existing security vulnerabilities
  • A “hall of fame” recognizing security researchers who have worked with us on coordinated vulnerability disclosure

The Citrix Security Response Process

Citrix’s Secure Development Lifecycle (SDLC) program includes a robust security response process that accepts vulnerability reports on Citrix products and services from external sources like customers and researchers. Our vulnerability response process, led by the Citrix Security Response Team, adheres to international standard ISO/IEC 29147:2018. This dedicated, global team is responsible for managing the receipt, verification, and public reporting of information about security vulnerabilities in Citrix products.

Once a vulnerability is reported, our Security Response Team works closely with our product development teams and follows the vulnerability response process of investigation, variant analysis, verification and remediation. The team works with the reporter throughout the resolution process.

Pre-notification Program – Aids in Planning

Citrix also offers pre-notification of upcoming bulletins one to two weeks ahead of public release to a limited group of pre-qualified customers and partners. Notifications contain the product name, affected version(s) (major releases only), criticality of the vulnerability, and expected date of release.

Qualification details for the pre-notification program and how to submit a request for consideration can be found on our reporting vulnerabilities page under the pre-notification and security bulletins section.

How You Can Stay Informed, Connected

You can stay informed about security vulnerabilities by updating your support notifications to receive future security bulletins by email or you can subscribe to the RSS feed. You also can also find more information about reporting vulnerabilities on the Trust Center’s reporting vulnerabilities page.

Citrix designs its products around centralized delivery, visibility, and control of apps and data with a critical eye on cybersecurity and data privacy. You can learn more about how Citrix approaches security, privacy, and compliance and get the latest updates in our Citrix Trust Center.