Pentair Responsible Disclosure Program
Mission
Pentair is committed to its Win Right Values. Part of living our Win Right Values is a commitment to the security of our products, technology, customers, and employees. Pentair takes security seriously and investigates all reported vulnerabilities. Accordingly, Pentair has adopted this Responsible Disclosure Program (the “Program”) to encourage public disclosure of newly identified cybersecurity vulnerabilities in its products and services.
Scope of the Program
This Program covers all Pentair products and services excluding any third-party provided network components, like cloud service providers. The Program includes, for example:
- All websites
- All current connected products (excluding the cloud connection and cloud storage)
- All mobile applications
See “Out of Scope” List below for products, services, and vulnerabilities excluded from the Program.
Eligibility to Participate
To participate in this Program, you must:
- Have read and agree to this Program;
- Be at least 18 years of age; and
- Participate in the Program in your individual capacity or with the permission of the organization that employs you.
To participate in this Program, you must not be:
- On a sanctions list or in a country on a sanctions list maintained by the U.S. Department of Treasury Office of Foreign Assets Control or any other applicable government entity;
- Prohibited or limited from participating in the Program by any applicable law;
- Employment with Pentair or any one of its affiliates, currently or in the past year; or
- Serving as a contributing author of the code that is the subject of your Report.
If you violate any provision of these representations, you will be automatically disqualified from this Program.
Public Disclosure Requirements
To comply with the Program, members of the public disclosing potential vulnerabilities must do so in accordance with the following guidelines:
- Notify Pentair as soon as possible after you discover a real or potential security vulnerability.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use information owned by you and not by a third party in your Report.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Do not compromise public safety.
- Do not violate any applicable local, state, national, or international law, including intellectual property.
- Do not use accounts that are not your own.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- The following activities are expressly prohibited by the terms of this Program:
- Denial of Service (DoS) attacks against Pentair, its products, or any of its third-party providers;
- Social engineering or phishing to solicit login passwords or credentials from Pentair employees, contractors, or third-parties;
- Physical attacks against Pentair employees, offices, or data centers;
- Knowing distribution of any malware; and
- Using unsolicited bulk messaging to pursue any vulnerabilities.
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop and notify Pentair immediately, and not disclose this data to anyone else.
Report Submission and Review
- To participate you must submit a potential vulnerability report to Pentair (the “Report”) via email at ResponsibleDisclosure@Pentair.com
- Upon successful submission of your Report, you will receive a confirmation of receipt from us.
- Please allow us a reasonable period of time to investigate and validate your Report. We will keep you reasonably informed about the status of any vulnerability you reported.
- Pentair is not responsible for any Reports that it does not receive. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities.
What to Include in Your Report
A detailed, well-written Report will help us to assess the situation more quickly. To facilitate our review, please include a detailed description of the potential vulnerability such that we are able to reproduce and correct any issues and include the targets, tools, process, artifacts, etc. used in discovery. Submissions of screenshots are welcome.
Disclosure
We are committed to responding to all Reports in a timely manner. To qualify under this Program, you must not disclose any of the contents of a Report or the fact that you submitted a Report to anyone outside of Pentair. After Pentair communicates to you that it has completed its review of the Report, you may request the ability to disclose the contents of your Report to third parties. In reviewing all such requests, Pentair in its sole discretion, will make all determinations.
Out of Scope
The following products, services, and vulnerabilities are outside the scope of this Program:
- Products and services no longer produced, maintained, or sold by Pentair, including outdated or unpatched applications, services, software, firmware;
- Third-party websites or services, including third party software incorporated in Pentair applications;
- Bugs that simply cause an app to crash;
- Attacks against Pentair infrastructure;
- Attacks requiring physical access to a user's mobile device;
- Network Provisioning errors;
- Violation of licenses or other restrictions applicable to any vendor's product;
- Security bugs in third-party applications (e.g. java, plugins) or websites;
- Host header injections (unless you can show how they could lead to a data loss);
- Self-XSS (User defined payload);
- Login/logout CSRF;
- Use of a known-vulnerable library (without evidence of exploitability);
- Vulnerabilities affecting users of outdated browsers or platforms;
- Vulnerabilities which require a jailbroken or rooted mobile device;
- Previously reported vulnerabilities unless some additional information is reported in the subsequent Report;
- Recent acquisitions for the first six (6) months after acquisition to give Pentair time to internally review and mitigate any issues; and
- Vulnerabilities that present negligible security impact or are exploited to conduct a malicious attack against Pentair. Common examples may include, but are not limited to, the following:
- Vulnerabilities were discovered by conducting an attack against Pentair employees, clients and/or partners, or referring to social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials);
- Vulnerabilities which require a rooted or jailbroken movable device;
- Vulnerabilities within Pentair’s lab, staging environments or sandbox;
- System vulnerabilities irrelevant to security issues.
Legal
- Pentair, in its sole discretion, may modify or discontinue the Program at any time.
- Pentair, in its sole discretion, may disqualify any security researcher from this Program at any time.
- Pentair may pursue legal action against any criminal or unlawful activity at any time.
- This Program does not make you an employee or a contractor of Pentair, and you are responsible for any taxes or additional restrictions based on your national and local laws.
If you make a good faith effort to comply with this Program during your security research, Pentair will consider your research to be authorized Pentair will work with you to understand and resolve the issue quickly, and Pentair will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, Pentair will make this authorization known.
Contact Information
If you have any inquiries regarding the Program, please contact us at ResponsibleDisclosure@Pentair.com.
Thank you for your interest in making Pentair and its products more secure.