1. Introduction

An important goal of the Western Digital PSIRT (Product Security Incident Response Team) is to protect the security of the end users of Western Digital products. The Western Digital Vulnerability Disclosure Policy encourages the input of security researchers and the general public, to act in good faith and engage in responsible vulnerability research and disclosure. If you believe you have discovered a vulnerability, exposed data, or other security issues, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, clarifies Western Digital's definition of good faith in the context of discovering and reporting potential vulnerabilities, and explains what researchers can expect from Western Digital in return.

2. Definitions

1. We / Us: Within this policy, "we" means all Western Digital and covers our brands.
2. You / Vulnerability Reporter: individual, organization, or limited group disclosing a vulnerability report.
3. Confidentiality Window: If and when we accept your vulnerability report, our goal is to complete remediation work and release a fix within 90 days of initial acknowledgement. If additional information is required to confirm the vulnerability we will contact you. If we do not receive a response after 3 attempts we may close the case, but we will still welcome future communications.
4. Security Bulletins: Our Security Bulletins are posted here:
   https://www.westerndigital.com/support/productsecurity
5. Official Reporting Channel: the communications channel for communicating about vulnerability disclosures: PSIRT@wdc.com.
6. Initial Acknowledgement: This is the date on which we respond after receiving your report to PSIRT with a case number and a 90-day disclosure date.

3. Vulnerability Reporting Instructions

To report a security issue you believe you have found in a Western Digital product or service, please email the details of your findings to our official reporting channel. Messages sent to any other email addresses may result in a delayed response.

Required information:

• The specific product(s) and version number(s); or
• For a Service(s), provide the specific service and/or URL including a timestamp of the reported issue; and
• Steps to reproduce the issue, including a Proof of Concept (PoC);

Recommended:

• Provide any relevant CWE references, if available;
• Whether you believe the vulnerability is already publicly disclosed or known to third parties.

You may encrypt the information before sending it by using our PGP/GPG key.

4. Multi-Party Coordinated Vulnerability Disclosure

We follow the FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure.

5. Products and Services Scope

We accept Security Reports on all Western Digital HDD-based and platforms products and related cloud services that are not at end-of-updates/support. All products and services past their end-of-updates/support are not covered by this vulnerability disclosure policy.

6. Out of Scope

Product Vulnerability Scans

• PSIRT does not accept Vulnerability Scan Reports on our devices, without a Proof of Concept.

For Western Digital flash-based product reports, please refer to SanDisk Vulnerability Disclosure Policy.

We also welcome vulnerability reports on our Internet presence, i.e. westerndigital.com, please send these reports to websecurity@wdc.com.

Accepted Web Vulnerabilities:

• OWASP Top 10 vulnerability categories
• Other vulnerabilities with demonstrated impact

Unaccepted Web Vulnerabilities:

• Theoretical vulnerabilities
• Informational disclosures of non-sensitive data
• Low impact/low likelihood of exploit vulnerabilities

7. Our Commitments

When working with us, according to this policy:

• We do not currently offer or participate in any bug bounty programs. We do not honor requests for bounty payments, promotional material, or credit outside of our Security Bulletin publication process.
• We will initially acknowledge your vulnerability report within 3 business days of receipt, and we will provide a tracking number.
• We will send a confirmation of vulnerability acceptance within 30 days of our initial acknowledgement, and we will include a proposed fix deadline. If we do not accept the report, we will provide our reasoning and we will remain open to new information about the report.
• Once the reported vulnerability has been confirmed, our engineers will work on developing the appropriate fix(es).
• Occasionally there are vulnerabilities that cannot be resolved within the 90 day timeline. If more time than the normal confidentiality window is needed, we will work with you to extend the confidentiality window or advise otherwise. Resolution may depend on:
  
  • Upstream vendors with different resolution timeframes than ours.
  • Substantial architectural changes required to address the vulnerability.
  • Complex or extended validation requirements resulting from low level firmware changes such as for hard drive firmware vulnerabilities.
• We publish Security Bulletins at our own discretion in order to provide security information to our customers and the public. We will offer acknowledgement to you for finding and reporting the vulnerability on the related Security Bulletin and CVE if:
  • The reported vulnerability affects a currently supported Western Digital product,
  • We make a code or configuration change based on the issue,
  • You are the first to report the issue,
  • Your research is conducted in accordance with this policy, and
  • You consent to the acknowledgement.
• We do not publish advisories for general security improvements and defensive programming fixes that do not have a proven security impact.

8. Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask the following from you.

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
• Report any vulnerability you’ve discovered promptly.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing. In particular:
  
  • Do not cause potential or actual damage to our users, systems, or applications, including via disruptive testing like Denials of Service.
  • Do not exploit a vulnerability to view unauthorized data or corrupt any data.
  • Do not perform attacks that target our personnel, property, data centers, partners, and affiliates.
  • Do not perform social engineering attempts or otherwise misrepresent your affiliation or authorization to any of our employees, contractors, or affiliates to access our assets.
    
  • Do not violate any laws or breach any agreements in order to discover vulnerabilities.
    
• Perform research only within the product scope defined above under Products and Services Scope.
• Communicate security vulnerabilities to us only via our vulnerability reporting process.
  
• Keep information about any vulnerabilities you have discovered confidential until we have resolved the issue and a security bulletin is posted. Do not disclose information outside of the confidentiality window.
• If a vulnerability provides unintended access to data:
  
  • Limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• Only interact with test accounts you own or accounts where you have explicit permission from the account holder.

9. Disclaimer

We may update the Vulnerability Disclosure Policy from time to time. Please review this policy prior to submitting vulnerability reports. Disclosures will be governed by the version of this policy published at the time of initial acknowledgement.

10. Change History

Published: March 17, 2025
Version: 2.0

11. References

This policy is based on the guidelines presented in the ISO Documents 29147 & 30111.
Thanks to disclose.io for their outline and text provided under Creative Commons CC-0 as it was very helpful in creating our VDP.