Hitachi Vantara Vulnerability Disclosure Policy
Hitachi Vantara is grateful for submission of vulnerability reports and works to reduce risk for our
customers using any and all information available. We have implemented this policy to provide
a method to report any potential vulnerabilities as easily as possible.
If a security vulnerability in Hitachi’s products is discovered, customers are encouraged to report
the vulnerability by contacting Hitachi Vantara’s Global Support Center (GSC). The GSC team will
work in conjunction with Hitachi Vantara’s Information Security team to investigate the issue in
accordance with customer contract requirements and GSC standard operating procedures.
Hitachi Vantara recommends using an encryption program to securely transmit any data. Details
regarding sending encrypted data is available on the Cybersecurity web page under the section
While Hitachi Vantara will review reports submitted through the GSC, weaknesses in existing
customer installation due to their individual designs, third-party components, or compromised
access credentials are not considered a vulnerability within Hitachi Vantara’s products.
When submitting a report, we ask that you include as much of the following information as
possible: the affected Hitachi Vantara product or solution, the versions of software and/or
microcode of the Hitachi components, a description of the vulnerability and any other relevant
information such as evidence or proof of concept, whether the vulnerability has been already
published, and whether the reporter is committed to coordinated disclosure.
With the reporting entity’s agreement, Hitachi Vantara may recognize the reporting entity with
credit for the discovery of the vulnerability as part of the official Hitachi Vantara process.
Hitachi Vantara’s product vulnerability handling generally consists of: first response; initial triage;
investigation and planning; remediation; and disclosure & notification. While Hitachi Vantara
makes every effort to remedy the vulnerability in a timely fashion, remedy times may vary
depending on the specific vulnerability identified. Assuming the reported information is not
known publicly, it is the intention of the reporting entity and Hitachi Vantara for the information
to remain between Hitachi Vantara and the reporting entity until there is a remediation.
The information contained herein is subject to change at any time without notice. The statements
in this policy do not modify, supersede, or otherwise amend any customer rights, obligations,
or terms between Hitachi Vantara and any other party. Your use of the information or links
included in this policy is done at your own risk