Product Security Policy
Product Security Vulnerability Response and Remediation Policy
Security is paramount in building customer trust and confidence. Pure Storage’s products and services are developed using security-by-design principles. We have established a robust Product Security and Incident Response Team (PSIRT) to investigate, respond, and communicate security vulnerabilities impacting our products and cloud services. This policy outlines our approach to handling and responding to security incidents to protect our customers and maintain the integrity of our products.
Reporting Security Vulnerabilities
Potential vulnerabilities or incidents impacting Pure Storage’s products or services can be reported to psirt@purestorage.com. We highly encourage sending us a secure email using our PGP encryption key.
Pure’s Product Security & Incident Response Team (PSIRT) will receive and promptly investigate the reported vulnerabilities. The response timelines may vary on factors such as scope, complexity, severity and impact. If the vulnerability is determined to be valid, it will be prioritized based on the impact, likelihood and exploitability of the reported vulnerability.
How Pure Storage Scores Vulnerabilities
Pure Storage uses industry standard Common Vulnerability Scoring System (CVSS 3.1) to assess and determine the vulnerability score. The following criteria must be met for scoring vulnerabilities:
-
Must be a valid vulnerability in Pure Storage maintained code.
-
The vulnerability must exist in supported versions of the products.
Pure Storage’s vulnerability scoring is aligned with standards defined by Forum of Incident Response and Security Teams (FIRST.org). Refer to the table below:
CVSS Score |
Severity |
---|---|
9.0 - 10.0 |
Critical |
7.0 - 8.9 |
High |
4.0 - 6.9 |
Medium |
0.1 - 3.9 |
Low |
Security Bulletins & Advisories
Pure Storage will disclose security vulnerabilities and appropriate mitigations through security advisories and bulletins. The advisories will include at a minimum the following information:
-
Description of the vulnerability
-
Impacted products
-
Fixed versions
-
CVSS score and Vectors
-
Remediation information including workaround (if applicable)
Pure may on occasion also determine that based on the scope/ impact/ and affected install base of a security vulnerability, email notification may also be required to alert our customers of critical vulnerabilities that require immediate attention inline with our privacy policy.
On a case-by-case basis, Pure may publish a security bulletin to acknowledge a publicly known security vulnerability, and to provide guidance regarding when (or where) additional information will be available.
Pure may publish security related articles to share information about security-related topics such as:
-
Release of new security hardening features;
-
Security configuration guides and best practices;
-
Security vulnerabilities in third-party components, identified by vulnerability scanning tools but which are not exploitable from within the specified product;
The following table identities how Pure Storage provides customer facing information regarding security vulnerabilities.
CVSS Score | Severity | Bulletin | Advisory | Release Notes |
---|---|---|---|---|
9.0 - 10.0 | Critical | Yes | Yes | Yes |
7.0 - 8.9 |
High | As Needed | Yes | Yes |
4.0 - 6.9 |
Medium | As Needed |
As Needed |
Yes |
0.1 - 3.9 |
Low | As Needed |
As Needed |
Yes |
Pure security bulletins and advisories are available at https://purestorage.com/security.
End Of Life Policy
All Pure Products and services are subject to Pure’s End-of-Product Lifecycle Overview. For additional information, please see the End of Product Life Cycle and Upgrade Policy in Pure Storage End User License Agreement (EULA).
Responsible Disclosure
At Pure Storage, we believe in transparency and accountability when it comes to our security of our products and services. We are committed to publishing CVE's (Common Vulnerabilities and Exposures) for known security vulnerabilities normally after 90 days once a fix is made available to our customers. This is required to provide our customers with the opportunity to safely upgrade and/or apply necessary patches prior to a public notification. Pure Storage may also issue interim workarounds where available for critical vulnerabilities that require a longer remediation timeframe. Pure Storage reserves the right to make exceptions to this policy when necessary.
Safe Harbor
Vulnerabilities reported to Pure Storage in compliance with this policy will be considered authorized. Pure Storage will not initiate any legal action against you for reporting vulnerabilities.
Bug Bounty Program
While Pure encourages customers to report awareness of critical vulnerabilities so that we can constantly strive to improve the security posture of our products, at this time, Pure does not offer compensation for reporting security vulnerabilities.
If you have any questions about this policy please reach out to psirt@purestorage.com.
Contact Information
Please also see Pure Storage Security Home, and Pure Storage Security Contact Information.