Vulnerability Handling Policy
NetApp has a robust product security vulnerability and response handling policy.
You can receive reports related to potential security vulnerabilities in NetApp products and services and learn about our standard practices in informing customers of verified vulnerabilities.
NetApp follows secure development principles throughout our product development lifecycle. We expand and improve on our secure-development programs on a continuing basis. As a part of our standard procedures, we implement secure design principles, developer training, and extensive testing programs.
NetApp follows a standard process to address vulnerabilities and notify our customers.
Vulnerability report received. NetApp encourages customers and researchers to use PGP-encrypted emails to transmit confidential details to our Vulnerability Response Team (PSIRT). NetApp will investigate a suspected vulnerability in our products and confirm receipt of the vulnerability report within seven business days.
Verification. NetApp PSIRT engineers will verify the vulnerability and provide assessment within the CVSS framework.
Resolution development. NetApp strives to deliver critical fixes and mitigations to the customer base as rapidly as our stringent quality-control standards allow; testing and verification is often a time-intensive process.
Notification. NetApp will disclose the minimum amount of information required for a customer to assess the impact of a vulnerability in their environment, as well as any steps required to mitigate the threat. NetApp does not intend to provide details that could enable a malicious actor to develop an exploit.
Attribution. NetApp will credit external vulnerability discoverer(s) in the advisory if they have provided explicit consent to be identified, and if they provide NetApp the opportunity to remediate and notify our customer base prior to making the vulnerability public.
When reporting vulnerabilities, review existing NetApp vulnerability reports to confirm you’re reporting something new.
NetApp scores security vulnerabilities and prioritizes responses according to industry standards.
To standardize the description of each public vulnerability, NetApp® security advisories reference a CVE-ID. NetApp uses version 3.0 of the Common Vulnerability Scoring System (CVSS) to determine vulnerability priority and notification strategy.
Our security advisories and notices include the NetApp-determined Base vulnerability score. We encourage customers using CVSS for vulnerability classification and management to compute their own Temporal and Environmental scores to take full advantage of the CVSS metrics.
Standard delivery methods for NetApp security information:
- Security Advisory — significant security vulnerabilities that directly affect NetApp products and require an upgrade, patch, or direct customer action to remediate.
- Security Bulletin — low- and medium-severity security issues that impact NetApp products.
- Security Notices — may be used when a third party makes an unconfirmed public statement about a perceived NetApp product vulnerability, or NetApp products are unofficially implicated in security incidents.
- Security Bug Reports — provides information about low-severity security vulnerabilities, available via Bugs Online (requires login).
Read more about CVE-IDs at the Mitre.org page.
For more information about CVSS, visit the FIRST.org/cvss web site.
NetApp’s adherence to standards and participation in standards bodies shows our commitment to security best practices.
The following industry standards and mandates guide the handling of product vulnerabilities at NetApp and the disclosure of vulnerabilities to our customers and the broader technology community:
- National Infrastructure Advisory Council (NIAC) – Disclosing and Managing Vulnerability Guidelines
- ISO/IEC 29147:2014(E) – Information technology — Security techniques — Vulnerability disclosure
- ISO/IEC 30111:2013(E) – Information technology — Security techniques — Vulnerability handling processes
NetApp is currently participating in the following security communities: