Panzura’s Security Response Process


Panzura Security Response Policy

Panzura strives to develop products that our customers entrust with their most sensitive information; our goal is to ensure that our products meet the high standard for security our clients demand. This policy documents Panzura’s proactive commitment to identifying, mitigating, and resolving possible security vulnerabilities across our product line.

How to Report a Suspected Vulnerability

Please send information or questions concerning suspected security vulnerabilities to security@panzura.com. We hope our clients will contact us privately and give Panzura an opportunity to evaluate, confirm, and mitigate the vulnerability before it becomes public knowledge.

When reporting an issue please provide the following:

  • A detailed description of the problem
  • A technical contact who can answer questions
  • Your appliance model and software version
  • System logs

Panzura encourages our clients to use our public PGP key to encrypt sensitive data sent within the email. Our email public key can be found here.

Classification of Vulnerabilities

Critical

Critical vulnerabilities can be exploited by unauthenticated users that allow for elevated access privileges. The exploitation results in the complete compromise of data or appliance confidentiality, integrity, and availability.

Panzura will take action on such items immediately, and deliver a correction or mitigation to our customers as quickly as possible.

Important

Important vulnerabilities are those whose exploitation results in the complete compromise of confidentiality or integrity of user data or appliance resources through authorized user assistance or by authenticated attackers. Or to those vulnerabilities which could lead to the complete compromise of system availability when triggered by a remote unauthenticated attacker.

Panzura will deliver a fix in the first maintenance release following resolution of the issue.

Moderate

Moderate vulnerabilities are those where the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data or appliance resources.

Panzura will deliver a fix in the next major or minor release of the product.

Low

Vulnerabilities where exploitation is believed to be extremely difficult, or where successful exploitation would have minimal impact on data or appliance confidentiality, integrity, or availability.

Panzura will deliver a fix in the next major or minor release of the product.

Panzura’s Security Response Process

Along with monitoring customer reports from the security mailbox Panzura also evaluates reports from Panzura technical staff and monitors public vulnerability databases to identify any vulnerabilities in our products or components.

After receiving a report, the Panzura security staff will evaluate the report and determine if there is an existing fix. If so, corrective action will be coordinated through Panzura support to ensure that the reporting customer issue is fully resolved.

If we receive a report for an issue where there is no available fix, the Panzura security team will determine which products, if any, it applies to, and classify the vulnerability using the scale described herein. The Panzura security team will be responsible for working with the reporter and internal resources in developing a timeframe for issue resolution and public communication.
Panzura’s Security Disclosure Policy

All reports to the Panzura security team are treated as confidential information for the protection of our customers and Panzura intellectual property. We will restrict the flow of information within the organization to the resources required to manage and resolve confirmed security vulnerabilities, and to encourage our customers to maintain confidentiality about any potential vulnerabilities until an issue is made public.

We request a window of up to 5 business days from initial customer notification to review and duplicate the issue internally before delivering a response to the reporting party. Follow up reports will be issued weekly to the reporting party until the issue is publicly reported on the Panzura website at our Security Advisories page.

When a patch or workaround is developed that resolves the issue Panzura will take proactive action to notify all affected customers; following a 30-day timeframe for implementation of the corrective action we will publicly disclose the security advisory on our website.