An important goal of the Western Digital PSIRT (Product Security Incident Response Team) is to protect the security of the end users of Western Digital products. The Western Digital Vulnerability Disclosure Policy encourages the input of security researchers and the general public, to act in good faith and engage in responsible vulnerability research and disclosure. If you believe you have discovered a vulnerability, exposed data, or other security issues, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, clarifies Western Digital's definition of good faith in the context of discovering and reporting potential vulnerabilities, and explains what researchers can expect from Western Digital in return.
To report a security issue you believe you have found in a Western Digital product or service, please email the details of your findings to our official reporting channel. Messages sent to any other email addresses may result in a delayed response.
When possible, please include the following:
Please use our PGP/GPG key to encrypt the information before sending it.
We follow the FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. Researchers who wish to report a multi-party vulnerability but desire assistance navigating the process or coordinating multiple vulnerable parties can reach out to us. We may offer guidance and act as coordinator if we confirm acceptance of the vulnerability.
All products that are still in the current and limited updates phase including the below mentioned product families. We also welcome vulnerability reports on all our web pages and cloud services. All products and services past their end of life are not covered by this vulnerability disclosure policy. This is the list of products currently in scope:
See below for more information on our product support lifecycle:
WD Products: https://www.westerndigital.com/support/software/software-life-cycle-policy
When working with us, according to this policy:
In participating in our vulnerability disclosure program in good faith, we ask the following from you.
We may update the Vulnerability Disclosure Policy from time to time. Please review this policy prior to submitting vulnerability reports. Disclosures will be governed by the version of this policy published at the time of initial acknowledgement.
This policy is based on the guidelines presented in the ISO Documents 29147 & 30111.
Thanks to disclose.io for their outline and text provided under Creative Commons CC-0 as it was very helpful in creating our VDP.