Product Security Incident Response Process

NetApp follows a standard process to address vulnerabilities and notify our customers.

Vulnerability report received. NetApp encourages customers and researchers to use PGP-encrypted emails to transmit confidential details to our Vulnerability Response Team (PSIRT). NetApp will investigate a suspected vulnerability in our products and confirm receipt of the vulnerability report within seven business days.

Verification. NetApp PSIRT engineers will verify the vulnerability and provide assessment within the CVSS framework.

Resolution development. NetApp strives to deliver critical fixes and mitigations to the customer base as rapidly as our stringent quality-control standards allow; testing and verification is often a time-intensive process. 

Notification. NetApp will disclose the minimum amount of information required for a customer to assess the impact of a vulnerability in their environment, as well as any steps required to mitigate the threat. NetApp does not intend to provide details that could enable a malicious actor to develop an exploit.

Attribution. NetApp will credit external vulnerability discoverer(s) in the advisory if they have provided explicit consent to be identified, and if they provide NetApp the opportunity to remediate and notify our customer base prior to making the vulnerability public.

When reporting vulnerabilities, review existing NetApp vulnerability reports to confirm you’re reporting something new.