Skip to main content
Pure Technical Services

Product Security Policy

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

Product Security Vulnerability Response and Remediation Policy

Security is paramount in building customer trust and confidence. Pure Storage’s products and services are developed using security-by-design principles. We have established a robust Product Security and Incident Response Team (PSIRT) to investigate, respond, and communicate security vulnerabilities impacting our products and cloud services. This policy outlines our approach to handling and responding to security incidents to protect our customers and maintain the integrity of our products.
 

Reporting Security Vulnerabilities 

Potential vulnerabilities or incidents impacting Pure Storage’s products or services can be reported to psirt@purestorage.com. We highly encourage sending us a secure email using our PGP encryption key

     undefined

Pure’s Product Security & Incident Response Team (PSIRT) will receive and promptly investigate the reported vulnerabilities. The response timelines may vary on factors such as scope, complexity, severity and impact. If the vulnerability is determined to be valid, it will be prioritized based on the impact, likelihood and exploitability of the reported vulnerability. 

How Pure Storage Scores Vulnerabilities 

Pure Storage uses industry standard Common Vulnerability Scoring System (CVSS 3.1) to assess and determine the vulnerability score. The following criteria must be met for scoring vulnerabilities: 

  • Must be a valid vulnerability in Pure Storage maintained code.  

  • The vulnerability must exist in supported versions of the products. 

Pure Storage’s vulnerability scoring is aligned with standards defined by Forum of Incident Response and Security Teams (FIRST.org).  Refer to the table below:

Table 1.1 Pure Storage Vulnerability Ratings/Score

CVSS Score

Severity 

9.0 - 10.0

Critical

7.0 - 8.9

High

4.0 - 6.9

Medium

0.1 - 3.9

Low

Security Bulletins & Advisories

Pure Storage will disclose security vulnerabilities and appropriate mitigations through security advisories and bulletins. The advisories will include at a minimum the following information:  

  • Description of the vulnerability 

  • Impacted products 

  • Fixed versions 

  • CVSS score and Vectors 

  • Remediation information including workaround (if applicable)

Pure may on occasion also determine that based on the scope/ impact/ and affected install base of a security vulnerability, email notification may also be required to alert our customers of critical vulnerabilities that require immediate attention inline with our privacy policy. 

On a case-by-case basis, Pure may publish a security bulletin to acknowledge a publicly known security vulnerability, and to provide guidance regarding when (or where) additional information will be available.

Pure may publish security related articles to share information about security-related topics such as:

  • Release of new security hardening features;

  • Security configuration guides and best practices;

  • Security vulnerabilities in third-party components, identified by vulnerability scanning tools but which are not exploitable from within the specified product;

The following table identities how Pure Storage provides customer facing information regarding security vulnerabilities.

Table 1.2 Pure Storage Vulnerability Communication

CVSS Score Severity Bulletin Advisory Release Notes
9.0 - 10.0 Critical Yes Yes Yes

7.0 - 8.9

High As Needed Yes Yes

4.0 - 6.9

Medium As Needed

As Needed 

Yes

0.1 - 3.9

Low As Needed

As Needed

Yes

Pure security bulletins and advisories are available at https://purestorage.com/security.

End Of Life Policy

All Pure Products and services are subject to Pure’s End-of-Product Lifecycle Overview. For additional information, please see the End of Product Life Cycle and Upgrade Policy in Pure Storage End User License Agreement (EULA).  

Responsible Disclosure 

At Pure Storage, we believe in transparency and accountability when it comes to our security of our products and services. We are committed to publishing CVE's (Common Vulnerabilities and Exposures) for known security vulnerabilities normally after 90 days once a fix is made available to our customers. This is required to provide our customers with the opportunity to safely upgrade and/or apply necessary patches prior to a public notification.  Pure Storage may also issue interim workarounds where available for critical vulnerabilities that require a longer remediation timeframe. Pure Storage reserves the right to make exceptions to this policy when necessary.

Safe Harbor 

Vulnerabilities reported to Pure Storage in compliance with this policy will be considered authorized.  Pure Storage will not initiate any legal action against you for reporting vulnerabilities.

Bug Bounty Program

Pure encourages customers and security researchers to report awareness of any security vulnerabilities. At this time, Pure does not offer compensation for reporting security vulnerabilities. However, if the reported vulnerability is valid and requires a CVE record to be created, Pure will credit the finder/reporter in the CVE record.  

If you have any questions about this policy please reach out to psirt@purestorage.com

Contact Information

Please also see Pure Storage Security Home, and Pure Storage Security Contact Information.