HPE Vulnerability Disclosure Program

Introduction

Welcome to the HPE Security Community! We're excited to have you join our mission to strengthen cybersecurity across Hewlett Packard Enterprise's ecosystem. Your expertise and dedication to finding vulnerabilities help us protect our customers, partners, and the broader technology community. At HPE, we believe that collaboration with the security research community is essential for building resilient systems. Whether you're a seasoned researcher or just starting your journey in security, we value your contributions and are committed to working together transparently and respectfully. Happy Hacking!

Program Highlights

Gold Standard Safe Harbor – Adheres to Gold Standard Safe Harbor.

Average Response Times:

• Average time to first response: 2 hours
• Average time to triage: 2 weeks, 2 days
• Average time to resolution: 1 month, 3 weeks

Overview

Hewlett Packard Enterprise (NYSE: HPE) is the global edge-to-cloud company that helps organizations accelerate outcomes by unlocking value from all of their data, everywhere.

With this program, we look forward to working closely with cybersecurity researchers to stress-test our products, discover vulnerabilities, and responsibly disclose them for the maximum benefit of our customers and the ecosystem at large.

We believe in the wisdom of the crowd, and in this case, a highly technical crowd. If you have information related to security vulnerabilities in HPE products, we appreciate that you submit a report in accordance with the rules of engagement below.

We value the positive impact of your hard work and thank you in advance for your contribution.

Testing

• Abide by the program scope and only test against systems you have permissions to test.
• When making an account for testing purposes, please use your HackerOne email alias so we can properly identify you.
• No social engineering against HPE employees or customers.
• No denial-of-service attacks against HPE assets or systems or other activity which may affect the integrity or availability of the target systems. If you notice performance degradation on the target systems, you must immediately suspend the activity.
• For best practice, indicate your identity as a security researcher with custom HTTP headers when sending requests, such as "X-HackerOne-Research: [H1 username]".

Disclosure

• If you think that you have discovered a security vulnerability, we appreciate your help in disclosing the issue to us. Please do this responsibly by giving us the opportunity to investigate and fix the vulnerability in a timely fashion before publicly disclosing it. Security vulnerability reports will be treated as a high priority.
• Researchers must not publicly disclose vulnerabilities or share vulnerabilities with a third party without HPE's express written permission.
• Follow HackerOne's disclosure guidelines.

Data Privacy

• Never use a finding to compromise/exfiltrate data or pivot to other systems. Use proof of concept to demonstrate the issue.
• Do not attempt to compromise any customer accounts or data, or personal information in the possession of HPE. Never attempt to view, modify, or damage data belonging to others.
• If you inadvertently view or change any personal identifiable information (PII) during your research, stop testing immediately and submit a report to HPE with reproducible steps so that our team can evaluate the potential business impact of any exposed PII.

Reporting

A good report should include the following information:

a. Description of the vulnerability b. Proposed CVSSv3 Vector & Score c. Steps to reproduce the reported vulnerability d. Proof of exploitability (e.g., screenshot, video) e. Proof-of-concept code f. Perceived impact to another user or the organization g. Recommendations for remediation or mitigation h. List of URLs and affected parameters i. Other vulnerable URLs, additional payloads, proof-of-concept code j. Browser, OS, and/or app version used during testing

• Submit one vulnerability per report unless you need to chain vulnerabilities to demonstrate impact.
• Multiple vulnerabilities caused by one underlying issue will be considered duplicates.

Eligibility

• You must not be subject to sanctions administered or enforced by the Office of Foreign Assets Control (OFAC) or other Agency of the United States or be located in a country subject to such sanctions. Your activities must comply with all applicable domestic and international laws, statutes, ordinances, and regulations and you may not participate in this program if this activity is prohibited in your jurisdiction.
• Be at least 18 years old and have legal capacity to agree to these terms and participate in the program.
• Have permission from your employer to participate.
• Not be (for the previous 12 months) an HPE employee, immediate family member of an HPE employee, HPE contractor, or HPE service provider.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than 2 stable versions behind the latest released stable version)
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis
• Tab nabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

Scope Update: Effective 11/3/2025

Assets previously covered by the Aruba-Public program are now in scope for HackerOne program. HPE Networking still maintains a separate program that pays bounties for product focused submissions.