This Vulnerability Disclosure Policy outlines our commitment to working with security researchers to identify and address potential security vulnerabilities. We encourage responsible disclosure of security vulnerabilities to help us ensure the safety and security of our systems and data.
Scope
This policy applies to the following systems and services:
Commvault's software product, and our SaaS backup infrastructure
Guidelines for Responsible Disclosure
We ask that security researchers adhere to the following guidelines when reporting vulnerabilities:
Act in good faith: Conduct vulnerability research in an ethical manner.
Provide detailed reports: Submit clear and concise reports with detailed information about the vulnerability, including:
A detailed description of the vulnerability
Steps to reproduce the vulnerability
Potential impact of the vulnerability
Affected systems/URLs
Avoid exploitation: Do not exploit the vulnerability beyond the minimal testing required to prove its existence. This includes:
Do not access, modify, or delete data belonging to others.
Do not disrupt our services or systems.
Do not conduct denial-of-service (DoS) attacks.
Maintain confidentiality: Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We request that you keep all communication about the vulnerability confidential between yourself and our security team.
Use authorized testing: Only test on accounts you own or have explicit permission to test.
Stop testing and report immediately: If you encounter any sensitive data, such as personally identifiable information (PII), financial information, or trade secrets, stop your testing and report the issue to us immediately. Do not store, share, or further process this data.
Reporting a Vulnerability
Vulnerability reports should be submitted to us via email at PSIRT@Commvault.com. Please include the following information in your report:
Your name/handle
Your email address
A detailed description of the vulnerability
Steps to reproduce the vulnerability
Potential impact of the vulnerability
Affected systems/URLs
Our Commitment
When you submit a vulnerability report in accordance with this policy, we will:
Acknowledge receipt: Acknowledge receipt of your report promptly (within 5 business days) as long as it is within the scope of this policy
Investigate: Investigate the vulnerability and take reasonable steps to validate your report.
Respond: Respond to your report with our assessment of the vulnerability and an estimated timeline for addressing it.
Work to remediate: Work to address the vulnerability in a timely manner.
Maintain communication: Keep you informed about the progress of our investigation and remediation efforts.
Coordinate disclosure: Work with you to coordinate public disclosure of the vulnerability after it has been addressed.
Safe Harbor
We consider vulnerability research conducted in accordance with this policy to be authorized conduct.. If legal action is initiated by a third party against you in connection with activities conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Recognition
We appreciate the efforts of security researchers who help us improve our security. We may offer recognition for valid vulnerability reports at our discretion by acknowledging your effort on the CVE or our disclosure, depending on the severity and impact of the vulnerability. If you would like to remain anonymous please include such details when you file the report
Policy Updates
We reserve the right to modify this policy at any time. We encourage you to review this policy periodically for any changes.
Questions
If you have any questions about this policy, please contact us at PSIRT@Commvault.com.