Product Security Vulnerability Response & Notification Policy

NetApp has a standard policy for receiving reports related to potential security vulnerabilities in its products and services and a standard practice with regards to informing customers of verified vulnerabilities and remediation guidance.

When to contact. Contact the NetApp Product Security Incident Response Team (PSIRT) by sending email to security-alert@netapp.com in the following situations:

  • You have identified a potential security vulnerability with one of our products.
  • You have identified a potential security vulnerability with one of our services.

After your incident report is received, the appropriate personnel will contact you to follow-up.

To ensure confidentiality, we encourage you to encrypt any personal, sensitive or confidential information you send to us via e-mail. We are equipped to receive messages encrypted using PGP/GNU Privacy Guard (GPG). A copy of the NetApp PSIRT public key (0xXXXXXXXX) that can be used to send encrypted email can be found on our website with this policy and on multiple public key servers.

The security-alert@netapp.com email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please visit http://support.netapp.com/

NetApp attempts to acknowledge receipt to all submitted reports within seven days. In some instances, acknowledgement of receipt may be delayed due to company or national holidays. In those cases, NetApp will make every attempt to respond within the seven day window upon the resumption of normal business activities.

Product Security Incident Response Process. NetApp follows a multi-step process when responding to vulnerabilities and notifying our customers.

Vulnerability Report Received

NetApp only considers properly formatted and PGP encrypted emails as valid vulnerability notifications. All other email notifications will be discarded without a response from NetApp.

NetApp will investigate the proper reporting of a suspected vulnerability in our products regardless of the product version number or lifecycle status. NetApp will, at its discretion, prioritize the allocation of resources required for verification of suspected vulnerabilities based on severity of reported vulnerability, business factors, and environmental considerations.

Verification

Once a finder has initiated contact with NetApp regarding a potential vulnerability, NetApp PSIRT engineers will attempt to verify the existence of the vulnerability using several methods. To aid in the verification of a suspected vulnerability, NetApp may or may not choose to engage with the disclosing parties. In the event that NetApp determines that the finder has not provided enough information, NetApp may contact the finder to request additional details. In all cases, NetApp attempts to respond to all properly formatted vulnerability reports within 7 days of receipt.

Resolution Development

When determining the best resolution, NetApp will attempt to balance the need to create a resolution quickly, with the overall testing required to ensure the resolution does not negatively impact affected users due to quality issues. In making this determination, NetApp will consider factors such as whether a vulnerability poses a high risk of exploitation of affected users, either due to the fact that it is simple to exploit, or due to the fact that the issue is already being actively exploited.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

Notification

Without exception, NetApp makes every effort to disclose the minimum amount of information required for a customer to assess the impact of a vulnerability in their environment as well as any steps required to mitigate the threat. NetApp does not intent to provide any details that could enable a malicious actor to develop an exploit. NetApp provides different security publications depending on the severity of the vulnerability being disclosed. Refer to section 5 for information on the various NetApp security publications. In no case will NetApp disclose a vulnerability until a patch has been developed or a set of mitigating controls have been verified to significantly reduce the threat.

NetApp security publications are posted to NetApp.com/support and sent to the customer-security-announcement@netapp.com email alias.

At its discretion, NetApp gives credit to external vulnerability discoverer(s) only if:

  • They desire to be identified as a discoverer and have provided explicit consent to divulge their identity.
  • They gave NetApp the opportunity to remediate and notify our customer base prior to making the vulnerability public.

Organizations, teams, individuals, or any combination thereof may be identified as discoverers. It is the responsibility of each discoverer to obtain any necessary permission from its employer to be identified by NetApp.

Post Resolution Support

Updates to the vulnerability resolution may be required after NetApp has released a security publication, associated software patches or software updates. If an update is required, NetApp will update security resolutions as appropriate, until further updates are no longer relevant.

A temporary or intermediary resolution that consists of a mitigation or workaround may be necessary in cases where a vulnerability poses a high risk to users. A non-comprehensive resolution that works in most scenarios may also be necessary in high-risk circumstances.

Scoring, prioritizing, and responding.

NetApp uses version 2.0 of the Common Vulnerability Scoring System (CVSS) during the evaluation of reported vulnerabilities and when disclosing and notifying customers of verified vulnerabilities as a means of establishing a consistent dialog.

The CVSS model includes a base, temporal, and environmental component or score which contributes to the overall score. As part of the notification process, NetApp provides an evaluation of the Base and Temporal vulnerability scores. Consumers of the vulnerability notification are encouraged to compute the environmental score based on their unique environment. The combination of all three scores should be considered the final score, which represents a moment in time and is specific to the consumer's environment.

NetApp uses a combination of the base and temporal score when prioritizing the vulnerability responses. Additionally, NetApp uses the following CVSS guidelines when determining how and when vulnerability will be disclosed:

  • Security Alert – provide information about significant security vulnerabilities that directly affect NetApp products and require a software upgrade, patch, or other customer action to remediate.
  • Security Notice –document low and medium severity security issues that directly involve NetApp products but do not warrant the visibility of a NetApp Security Advisory.
  • Security Response –address issues that require a response to information discussed in a public forum, such as a blog or discussion list.
  • Security responses are normally published if a third party makes a public statement about a NetApp product vulnerability.
  • Release Note Enclosure – provides information about low severity security vulnerabilities.

NetApp security publications are organized by Common Vulnerabilities and Exposures (CVE) Identifier to facilitate correlation of security issues across NetApp products.

For more information about CVSS, visit the FIRST.org web site.


Read the NetApp Product Security Vulnerability Handling & Response Policy.