SanDisk Vulnerability Disclosure Policy
1. Introduction
An important goal of the SanDisk PSIRT (Product Security Incident Response Team) is to protect the security of the end users of SanDisk products. The SanDisk Vulnerability Disclosure Policy encourages the input of security researchers and the general public, to act in good faith and engage in responsible vulnerability research and disclosure. If you believe you have discovered a vulnerability, exposed data, or other security issues, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, clarifies SanDisk’s definition of good faith in the context of discovering and reporting potential vulnerabilities, and explains what researchers can expect from SanDisk in return.
2. Definitions
- Confidentiality Window: If we accept your vulnerability report, our goal is to complete remediation work and release a fix within 90 days of initial acknowledgement. If additional information is required to confirm the vulnerability, we will contact you. If we do not receive a response after 3 attempts, we may close the case, but we will still welcome future communications.
- Security Bulletins: Our Security Bulletins are posted here:
https://shop.sandisk.com/support/product-security
- You / Vulnerability Reporter: individual, organization, or limited group disclosing a vulnerability report.
- We / Us: Within this policy, "we" means all SanDisk and covers our brands, including: SanDisk, SanDisk Professional (SSD), and G-Technology (SSD).
- Official Reporting Channel: the communications channel for communicating about vulnerability disclosures: PSIRT@sandisk.com.
- Initial Acknowledgement: This is the date on which we respond after receiving your report to PSIRT with a case number and a 90-day disclosure date.
3. Vulnerability Reporting Instructions
To report a security issue you believe you have found in a SanDisk product or service, please email the details of your findings to our official reporting channel. Messages sent to any other email addresses may result in a delayed response.
When possible, please include the following:
- The specific product(s) or service(s) affected, including any relevant version numbers;
- Details about the impact of the issue;
- Any information that can help reproduce or diagnose the issue, including a Proof of Concept (PoC) if available; and
- Whether you believe the vulnerability is already publicly disclosed or known to third parties.
Please use our PGP/GPG key to encrypt the information before sending it.
4. Multi-Party Coordinated Vulnerability Disclosure
We follow the FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. Researchers who wish to report a multi-party vulnerability but desire assistance navigating the process or coordinating multiple vulnerable parties can reach out to us. We may offer guidance and act as coordinator if we confirm acceptance of the vulnerability.
5. Products and Services Scope
All products that are still in the current and limited updates phase including the below mentioned product families. We also welcome vulnerability reports on all our web pages and cloud services. All products and services past their end of life are not covered by this vulnerability disclosure policy. This is the list of products currently in scope:
- Personal Mobile Storage: My Passport (SSD) and iXpand
- Professional Storage: G-DRIVE (SSD), PRO-BLADE
- WD BLACK (SSD)
- External Storage: SanDisk Desk Drive
- Internal Drives, SSDs & Embedded Flash
- Desktop and Mobile Applications: SanDisk Memory Zone
- USB Flash Drives
- Portable Drives (SSD)
- Memory Cards
See below for more information on our product support lifecycle:
6. Our Commitments
When working with us, according to this policy:
- We do not currently offer or participate in standing bug bounty programs. We do not honor requests for bounty payments, promotional material, or credit outside of our Security Bulletin publication process.
- We will initially acknowledge your vulnerability report within 3 business days of receipt, and we will provide a tracking number.
- We will send a confirmation of vulnerability acceptance within 30 days of our initial acknowledgement, and we will include a proposed fix deadline. If we do not accept the report, we will provide our reasoning and we will remain open to new information about the report.
- Once the reported vulnerability has been confirmed, our engineers will work on developing the appropriate fix(es).
- Occasionally there are vulnerabilities that cannot be resolved within the 90 day timeline. If more time than the normal confidentiality window is needed, we will work with you to extend the confidentiality window or advise otherwise. Resolution may depend on:
- Upstream vendors with different resolution timeframes than ours.
- Substantial architectural changes required to address the vulnerability.
- Complex or extended validation requirements resulting from low level firmware changes such as for SSD firmware vulnerabilities.
- We publish Security Bulletins at our own discretion to provide security information to our customers and the public. We will offer acknowledgement to you for finding and reporting the vulnerability on the related Security Bulletin and CVE if:
- The reported vulnerability affects a currently supported SanDisk product,
- We make a code or configuration change based on the issue,
- You are the first to report the issue,
- Your research is conducted in accordance with this policy, and
- You consent to the acknowledgement.
7. Our Expectations
In participating in our vulnerability disclosure program in good faith, we ask the following from you.
- Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
- Report any vulnerability you’ve discovered promptly.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. In particular:
- Do not cause potential or actual damage to our users, systems, or applications, including via disruptive testing like Denials of Service.
- Do not exploit a vulnerability to view unauthorized data or corrupt any data.
- Do not perform attacks that target our personnel, property, data centers, partners, and affiliates.
- Do not perform social engineering attempts or otherwise misrepresent your affiliation or authorization to any of our employees, contractors, or affiliates to access our assets.
- Do not violate any laws or breach any agreements in order to discover vulnerabilities.
- Perform research only within the product scope defined above under Products and Services Scope (Section 5).
- Communicate security vulnerabilities to us only via our vulnerability reporting process.
- Keep information about any vulnerabilities you have discovered confidential until we have resolved the issue and a security bulletin is posted. Do not disclose information outside of the confidentiality window.
- If a vulnerability provides unintended access to data:
- Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and
- Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
- Only interact with test accounts you own or accounts where you have explicit permission from the account holder.
8. Disclaimer
We may update the Vulnerability Disclosure Policy from time to time. Please review this policy prior to submitting vulnerability reports. Disclosures will be governed by the version of this policy published at the time of initial acknowledgement.
9. Change History
Published: Oct 4, 2024
Version: 1.0
10. References
This policy is based on the guidelines presented in the ISO Documents 29147 & 30111.
Thanks to disclose.io for their outline and text provided under Creative Commons CC-0 as it was very helpful in creating our VDP.