Product Security Vulnerability Response and Remediation Policy

Product Security Policy

Audience
Public
Source Type
Documentation

Security is paramount in building customer trust and confidence. Everpure's products and services are developed using security-by-design principles.

We have established a robust Product Security and Incident Response Team (PSIRT) to investigate, respond, and communicate security vulnerabilities impacting our products and cloud services. This policy outlines our approach to handling and responding to security incidents to protect our customers and maintain the integrity of our products.

Reporting Security Vulnerabilities

Potential vulnerabilities or incidents impacting Everpure's products or services can be reported to psirt@purestorage.com. We highly encourage sending us a secure email using our Contact Pure Security page.

Pure's Product Security & Incident Response Team (PSIRT) will receive and promptly investigate the reported vulnerabilities. The response timelines may vary on factors such as scope, complexity, severity and impact. If the vulnerability is determined to be valid, it will be prioritized based on the impact, likelihood and exploitability of the reported vulnerability.

Please refer to the Vulnerability Reporting and Disclosure Policy for additional information about Responsible Disclosure, Safe Harbor and Bug Bounty Program

How Everpure Scores Vulnerabilities

Everpure uses industry standard Common Vulnerability Scoring System (CVSS 4.0) to assess and determine the vulnerability score. The following criteria must be met for scoring vulnerabilities:

  • Must be a valid vulnerability in Everpure maintained code.

  • The vulnerability must exist in supported versions of the products.

Everpure’s vulnerability scoring is aligned with standards defined by Forum of Incident Response and Security Teams (FIRST.org). Refer to the table below:

Table 1. 1 Everpure Vulnerability Ratings/Score

CVSS Score

Severity

9.0 - 10.0

Critical

7.0 - 8.9

High

4.0 - 6.9

Medium

0.1 - 3.9

Low

Vulnerability Remediation

  • Pure may release a security patch/bundle along with fixed releases For critical/high vulnerabilities. The determination as to whether multiple fixes will be included in a patch/bundle is based on the security vulnerability impact and potential exploitability.

  • A security bundle addresses multiple vulnerabilities, whereas a patch is meant to address only one vulnerability in the product(s).

  • Patch/Bundles will be made available only for active release software versions. End Of Life (EOL) software versions will not receive a patch. Instead, customers using End Of Life (EoL) software versions will be required to upgrade either to an active release software version (i.e. not EoL), or to a fixed software version.

    Note: Upgrading to an active release software version that does not contain required security vulnerability fixes would still require the adoption of self-service opt-in patch application). Similarly, customers with arrays that do not phone home (i.e. Dark Assets) will be required to upgrade to a fixed software version. Manual application of security vulnerability patches is not supported for non-phone home (Dark Assets).
  • A cumulative bundle includes fixes from previous security vulnerability patches, and is intended to reduce the burden on customers from being required to apply multiple patches. When a cumulative bundle is released, if it incorporates a security vulnerability fix available from a previous security patch, we will deprecate the previous security patch. Customers may then apply the latest cumulative bundle to address multiple security vulnerabilities.

  • Any exception to this policy must be reviewed and approved by PSIRT.

Security Bulletins & Advisories

Everpure will disclose security vulnerabilities and appropriate mitigations through our security bulletins and advisories/notices. The security bulletins will include at a minimum the following information:

  • Description of the vulnerability

  • Impacted products

  • Fixed versions

  • CVSS score and Vectors

  • Remediation information including workaround (if applicable)

Customers can view a more comprehensive list of vulnerabilities in Pure's CVE Database.

On a case-by-case basis, Pure may publish a security bulletin to acknowledge a publicly known security vulnerability, and to provide guidance regarding when (or where) additional information will be available. Security advisories/notices may also be published for security related events and its impact on Pure products.

Pure may on occasion also determine that based on the scope, impact, and affected install base of a security vulnerability, email notification may also be required to alert our customers of critical vulnerabilities that require immediate attention inline with our privacy policy.

Pure may publish security related articles to share information about security-related topics such as:

  • Release of new security hardening features;

  • Security configuration guides and best practices;

  • Security vulnerabilities in third-party components, identified by vulnerability scanning tools but which are not exploitable from within the specified product;

  • Product certifications.

The above information can be found in Security Resources and Certifications.

The following table identities how Everpure provides customer facing information regarding security vulnerabilities.

Table 2. Table 1.2 Everpure Vulnerability Communication

CVSS Score

Severity

Bulletin

Advisory

Release Notes

9.0 - 10.0

Critical

Yes

Yes

Yes

7.0 - 8.9

High

As Needed

Yes

Yes

4.0 - 6.9

Medium

As Needed

As Needed

Yes

0.1 - 3.9

Low

As Needed

As Needed

Yes

Pure security bulletins and advisories are available at https://purestorage.com/security.

End of Life Policy

All Pure Products and services are subject to Pure's End-of-Product Lifecycle. For additional information, please see the End of Product Life Cycle and Upgrade Policy in Everpure End User License Agreement (EULA).

Customers can navigate to the End-of-Product Lifecycle Overview for information on Pure’s software and hardware lifecycle including end-of-life dates.

Note: End-of-Life: The date after which Everpure will no longer provide maintenance updates or security fixes to a given Purity release.

Flash Array End of Product Life Cycle (EOL):

Release Line Release Type1 Original Release Date Field Qualification2 Latest Version End-of-Life (EOL) Date Hardware Platforms Supported
6.12 FR Jun 2026 GA 6.12.0 Jan 2027 (Planned) FA//X (R4, R5), FA//C (R4, R5), FA//XL (R1, R5), FA//E, FA//RC20, FA//ST (R1, R5), and Everpure Cloud Dedicated (Azure, AWS)
6.10 FR Aug 2025 GA 6.10.6 May 2026 FA//X (R3, R4, R5), FA//C (R3, R4, R5), FA//XL (R1, R5), FA//E, FA//RC20, and
6.9 LLR Jul 2025 ER (Effective 6.9.2) 6.9.6 Jun 2028 (Planned) FA//X (R3, R4, R5), FA//C (R3, R4, R5), FA//XL (R1, R5), FA//E, FA//RC20, and
6.8 FR Oct 2024 EOL 6.8.9 (Last) Jul 2025 FA//X (R3, R4), FA//C (R3, R4), FA//XL (R1, R5), FA//E, FA//RC20, and
6.7 LLR Nov 2024 GA 6.7.8 Oct 2027 (Planned) FA//X (R2, R3, R4), FA//C (R1, R3, R4), FA//XL (R1), FA//E, and (only through 6.7.7)
6.6 FR Oct 2023 EOL 6.6.11 (Last) Sep 2024 FA//X (R2, R3, R4), FA//C, FA//XL, FA//E, and
6.5 LLR Oct 2023 ER (Effective 6.5.3) 6.5.13 Sep 2026 (Planned) FA//M (R2), FA//X, FA//C, FA//XL, and (only through 6.5.8)
6.4 FR Nov 2022 EOL 6.4.10 (Last) Oct 2024 FA//M (R1, R2), FA//X (R1, R2, R3), FA//C (R2, R3), FA//XL, FA//X and C R4 (effective 6.4.10), and
6.3 LLR Apr 2022 EOL 6.3.21 (Last) Mar 2025 FA//M (R1, R2), FA//X (R1, R2, R3), FA//C (R2, R3), FA//XL
6.2 SR Sep 2021 EOL 6.2.16 (Last) May 2023  
6.1 LLR Dec 2020 EOL 6.1.25 (Last) Apr 2024  
6.0 SR Jun 2020 EOL 6.0.8 (Last) Feb 2022  
5.3 LLR Aug 2019 EOL 5.3.21 (Last) Aug 2022  
5.2 SR Jan 2019 EOL 5.2.7 (Last) Jan 2021  
5.1 LLR May 2018 EOL 5.1.17 (Last) Feb 2021  
5.0 SR Dec 2017 EOL 5.0.8 (Last) Dec 2018  
4.10 LLR Apr 2017 EOL 4.10.13 (Last) Feb 2021  

Flash Blade End of Product Life Cycle (EOL):

Release

Release Notes

Release Type

First Published

End-of-Life Date
4.8.x Release Timeline 4.8 Release Notes

FR

March 2026

Q4 2026

4.7.x Release Timeline

4.7 Release Notes

LLR

May 2026

April 2029

4.6.x Release Timeline

4.6 Release Notes

FR/EOL

June 2025

Q1 2026

4.5.x Release Timeline

4.5 Release Notes

LLR/ER

August 2024

Q2 2028

4.4.x Release Timeline

4.4 Release Notes

SR/EOL

March 2024

December 31, 2025

4.3.x Release Timeline

4.3 Release Notes

LLR/EOL

September 2023

December 31, 2025

4.2.x Release Timeline

4.2 Release Notes

SR/EOL

April 2023

April 30, 2024

4.1.x Release Timeline

4.1 Release Notes

LLR/EOL

January 2023

March 31, 2025

4.0.x Release Timeline

4.0 Release Notes

SR/EOL

June 2022

March 31, 2025

3.3.x Release Timeline

3.3 Release Notes

LLR/EOL

December 2021

December 20, 2023

3.2.x Release Timeline

3.2 Release Notes

SR/EOL

March 2021

December 7, 2022

3.1.x Release Timeline

3.1 Release Notes

LLR/EOL

October 2020

June 30, 2023

3.0.x Release Timeline

3.0 Release Notes

SR/EOL

February 2020

June 30, 2021

2.4.x Release Timeline

2.4 Release Notes

LLR/EOL

May 2019

October 31, 2021

Please see FlashArray Hardware and End Of Support and FlashBlade Hardware and End of Support for Hardware/Purity compatibility.

Note: For all above End Of Life Purity versions, no fixes will be provided in any EoL version, nor will any security vulnerability fixes be addressed in any EoL Purity version (this includes both Purity security vulnerability fix/integration as well as Pure1 patch remediation). Please also see Everpure End User Agreement.

We recommend that customers review our Product Release Notes for guidance on known fixed issues by release:

We also recommend for customers to stay up-to-date with the latest software to ensure they benefit from the security improvements and vulnerability fixes. Features such as Self-service Upgrade (SSU) are now available in certain Purity versions to make the upgrade process streamlined and efficient.

Purity Self-Service Upgrades for FlashArray™ Video Course is now available for Pure employees.

1 Release Types:
  • SR - Standard Release: The release line is active for 12-18 months from the first GA release. (Deprecated for FA.)

  • FR - Feature Release: A release line where active development of new product features and capabilities takes place.

  • LLR - Long-Life Release: A maintenance release line where minimizing feature change is the goal and only bug fixes and security updates are included. The release line is active for 24-36 months from the first GA release.

2 Field Qualification:
  • GA - General Availability: A release version that has passed internal quality and regression testing and is supported for customer use.

  • ER - Enterprise Ready: A LLR release version following the demonstration of sufficient accumulated runtime data to be recommended for critical customer workloads.

  • EOL - End-of-Life: A release line that has come to the end of the development lifecycle and is no longer being maintained, which means that will no longer release bug fixes, security updates, or firmware upgrades for that line.