Hewlett Packard Enterprise Security Response Policy

Scope

The Hewlett Packard Enterprise (HPE) Product Security Response Team (PSRT) is responsible for receiving, tracking, managing, and disclosing vulnerabilities in HPE products. The HPE PSRT actively works with industry, non-profit, government organizations, and the security community when vulnerabilities are reported. A security vulnerability is defined as any weakness in a product that allows an attacker to compromise the confidentiality, integrity, or availability of a product, customer infrastructure, or IT system through an HPE product in that environment.

HPE PSRT activities cover products manufactured or sold by HPE, under the HPE brand name. Only products and software releases which are currently supported and have not reached their end of support milestone date as listed on the HPE End of Life page are covered. In addition to HPE-branded products, the HPE PSRT also covers currently-supported products manufactured by HPE subsidiaries or acquisitions.

HPE's PSRT operates in accordance with ISO/IEC 29147:2018.

Contacting HPE for Security Assistance

HPE Products - General Security Inquiries

Many customers have questions and concerns regarding the security of HPE products, including the following:

Generic security questions
Security-related configuration questions not covered in the hardening guide
Questions on whether or not you are experiencing a product vulnerability
Questions related to specific CVE(s)
Questions related to the results of a vulnerability scanner
Need emergency support assistance

In general, your first contact for these types of inquiries should be to the HPE Support Center using the following contact information.

https://support.hpe.com/hpesc/public/home

For questions relating to HPE's websites, or non-product related incidents

Please email [email protected].

HPE Suspected Product Vulnerabilities

If you suspect a product vulnerability with any HPE product, POC (proof of concept) code or procedure that indicates possible compromise of an HPE product, please contact the HPE PSRT directly.

There are two methods to report such potential product vulnerabilities to HPE:

Use our web form at https://www.hpe.com/info/report-security-vulnerability
Email [email protected] using our public PGP key (https://www.hpe.com/info/psrt-pgp-key)

Please make sure to include the following:

High-level description of the problem along with a technical contact we can get in touch with who can answer all related questions
List of the HPE hardware involved
List of the HPE software/firmware versions involved
A detailed description of the issue which ideally provides enough information to reproduce the problem
Logs, crash dumps, screenshots, and other supporting information

If your submission matches the criteria above, the HPE PSRT will acknowledge your email within 24 hours. After acknowledging the email, we request five business days to validate the reported finding and prepare a response or request more information, if needed. We would appreciate it if you wait for our response prior to reporting the problem to others.

The HPE PSRT is not responsible for any "non-product" HPE or HPE IT system, network, or website. Please see contacts above for the respective products and services.

HPE's Commitment to Product Security and Integrity

HPE product development practices generally align with the OWASP OpenSAMM framework, and most HPE products are designed to comply with relevant ISO/IEC 15408 (Common Criteria) protection profiles.

HPE corporate policies prohibit intentional product features or capabilities that allow unauthorized device or network access, exposure of sensitive customer data, or bypass of security features. These include, but are not limited to:

Undisclosed unauthorized device access methods (i.e. "backdoors")
Intentional protocol or cryptographic weaknesses
Hardcoded or undocumented accounts and account credentials
Covert communication channels
Undocumented features that allow copy or diversion of network traffic

HPE considers such product behaviors to be serious vulnerabilities and will treat them as such by correcting the vulnerability and issuing vulnerability disclosures.

HPE's Commitment to the Security Community

HPE has consistently supported the work of the security community and security researchers, and values the work done by this community to improve the security of technology products. HPE is committed to working with the security community to discover, verify, and respond to vulnerabilities found in our products, and encourages the community to participate in a responsible disclosure process.

To encourage responsible reporting of security vulnerabilities, HPE will not take legal action nor request law enforcement action against any individual or group conducting legitimate good-faith security research and reporting vulnerabilities in HPE products or services, provided those individuals or groups comply with the following guidelines:

Provide all information necessary to reproduce the vulnerability
Do not violate the privacy of HPE customers, partners, or users. If you come into possession of privacy-impacting information, securely report this information to HPE and then destroy it
Do not modify information that does not belong to you
Give HPE a reasonable amount of time to correct and disclose the vulnerability before making any information public. The HPE PSRT is willing to provide status updates regarding vulnerability reports upon request
Do not violate any laws

Specifically:

HPE does not consider legitimate good-faith security research to be a violation of the HPE End User Licensing Agreement even if that research involves reverse-engineering of HPE technology
HPE will not bring a copyright infringement claim under the Digital Millennium Copyright Act against a legitimate good-faith security researcher even if that research involves circumventing security mechanisms in the HPE products
HPE will not consider that access of an HPE PSRT-covered product by a legitimate good-faith security researcher has been access without authorization or access that exceeds authorization under the Computer Fraud and Abuse Act, provided that researcher complies with this policy

HPE will provide public acknowledgement and credit to security researchers in published vulnerability bulletins.

HPE Security Vulnerability Response Process

All reports sent to the HPE PSRT concerning suspected or potential existence of a vulnerability related to HPE products are reviewed and processed by HPE's PSRT members. This review is performed utilizing the written description of the suspected vulnerability and any other supporting data collected by the reporter. In some cases, it is necessary to request additional information from the reporting entity in order to begin the review.

The HPE PSRT utilizes a thorough review and analysis process designed to provide the best qualification and categorization of reported vulnerabilities. We require detailed technical information and scenario-based descriptions from the reporter in order to ensure a successful evaluation can be completed. After the HPE PSRT performs an initial evaluation, assignment of severity level is made. The PSRT will contact the reporter in order to update the status of the investigation and the severity level of the vulnerability should one exist. The HPE PSRT will work with the reporter to determine the planned timeframes for resolution, as well as the customer and public communication plans.

The HPE PSRT has overall responsibility for managing the process of development and distribution of workarounds and patch releases for the vulnerability. This oversight is required to ensure that during the notification process, the appropriate aspects of customer support are met. Once the workarounds and patch releases are ready for customer distribution, the HPE PSRT will publish bulletins on the HPE Support Center web site for easy access by customers.

All information received by the HPE PSRT is considered confidential, and as such is restricted to a limited group of HPE subject matter experts with specific skills designed to provide the most comprehensive resolution action plan. In addition, the PSRT will ask the reporter to treat the information as confidential until such a time as HPE can provide customers with resolution plans and options for mitigation, as well as a coordinated customer and public disclosure. Where the reporter wishes to receive public acknowledgement or "credit" for finding the vulnerability, HPE will provide that in the published security bulletin.

Disclosure Guidelines

HPE handles and discloses vulnerabilities in accordance with ISO/IEC 30111.

Disclosure is not selective under any circumstances. It is HPE's policy to notify all customers of vulnerabilities at the same time. No HPE customer, partner, or third-party is given advance notification or additional details of a vulnerability.

Public disclosure of vulnerabilities will generally take place only after permanent fixes are available.

Receiving Security Bulletins

Security bulletins are published on the HPE Support Center web site in the HPE security bulletin library. This site includes the latest bulletins as well as an archive of previous bulletins. HPE offers a notification email service for security bulletins. To subscribe to this service, visit the HPE Email Preference Center. This free service is available to the public and is offered on a best-effort basis through a commercial mailing list provider. HPE may offer other notification channels through premium support service offerings, but under no circumstances will HPE offer an "advance notification" service.

About This Document

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. HPE reserves the right to change or update this document without notice at any time.