Seagate’s Product Vulnerability Disclosure Policy addresses security vulnerabilities affecting Seagate products to support the security of our customers and their data. This policy targets compliance with ISO/IEC 30111 and ISO/IEC 29147.
At Seagate, we treat potential security vulnerabilities seriously and seek to respond swiftly and comprehensively. Seagate is committed to working with security researchers, industry partners and the public to verify and address any potential vulnerabilities that are reported to us.
Guidelines
· If you identify a security vulnerability in a Seagate product, please report it as soon as possible. Timely identification and reporting of security vulnerabilities is critical to mitigating potential risks to our customers.
· If a vulnerability provides you with access to sensitive information, only access such information as minimally necessary to report the vulnerability to Seagate. Do not disclose this data to anyone else.
· Make a good faith effort to avoid privacy violations, degradation of user experience, disruption to product systems and destruction or manipulation of data. Only interact with accounts you own or with explicit permission of the account holder.
· Keep information about any vulnerabilities confidential until we have resolved the issue, or 90 days have passed from our initial acknowledgement of your report. Occasionally there are vulnerabilities that cannot be resolved within 90 days. If more time is needed, we will work with you to extend the window.
Reporting a Potential Security Vulnerability
· The preferred method for commercial product customers and suppliers to report security issues discovered in Seagate products is to contact their respective Technical Support teams.
· Vulnerability reports can be sent directly to the Seagate PSIRT team via email: [email protected]. Email messages and attachments should be encrypted when transmitting sensitive information by using PGP and a Seagate PSIRT PGP key, which is available for download below. We would prefer the message be provided in English.
Download PSIRT PGP Key
· Product vulnerability reports may also be submitted through the Seagate Bugcrowd submission form. Reports may be submitted anonymously.
When reporting a potential vulnerability, please include as much of the below information as possible in your initial communication to help us triage the submission:
· Product name, serial number, and firmware version the vulnerability is impacting
· Description of the vulnerability
· Step-by-step instructions to reproduce the issue (proof-of-concept scripts or screenshots are helpful)
· Impact of the vulnerability and any potential remediation
· Plans or intentions for public disclosure
What You Can Expect from Seagate
If you share your contact information, Seagate will strive to acknowledge your vulnerability report and provide a 90-day disclosure date within two (2) business days of receipt (Reference: United States Central Time).
Seagate will investigate the reported potential vulnerability. If additional information is required to confirm the vulnerability, we will contact you. If we do not receive a response, we may close the case.
All information received by the Seagate PSIRT is considered confidential, so access is based on need to know.
Once a vulnerability has been confirmed, Seagate will conduct a risk analysis to determine appropriate actions, and we may provide you with a summary of our findings.
We do not currently participate in any bug bounty programs.
The Bugcrowd Hall of Fame acknowledges the work of researchers who have contributed to the program. If you have submitted at least one valid bug report to Seagate through Bugcrowd, your profile will be shown on the Seagate VPD Hall of Fame following Bugcrowd guidelines.
External Communication
Seagate Security Advisories are published at our own discretion to communication with customers about the security vulnerabilities that affect our products, and the steps needed for mitigation.
Product Scope
The Product Vulnerability Disclosure Policy addresses all Seagate hardware and software products. Products that are at the end of their service life are not in scope.
Disclaimer
The Product Vulnerability Disclosure Policy is subject to change without notice. A response is not guaranteed for any specific issue
