Nutanix Corporate Security Program

Our security program consists of a risk-based approach that includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Nutanix classified, customer, and partner data. Nutanix's information security program is aligned to the ISF Standard of Good Practice, ISO 27001/2, ISO 27017, ISO 27018, and includes key controls from SOC2.

The Corporate IT Governance, Risk & Compliance (GRC) team establishes policies, provides security governance, evaluates risk, and monitors compliance with the security program and policy.

The Corporate IT Security Engineering team establishes security requirements, implements security solutions, and designs maintenance processes and maintains security technologies consumed by the Information Security organization.

The Corporate IT Security Operations team performs security monitoring, responds to security event and incidents, manages security incidents throughout their lifecycle, and automates security operational processes whenever possible.

Security Certifications

Responsible Disclosure Program

We encourage security researchers to report their findings directly to Nutanix’s Responsible Disclosure Program, hosted by HackerOne: hackerone.com/nutanix

Nutanix takes security very seriously, and we aim to take immediate action to address serious security related problems that involve our products or services. Nutanix customers should contact support for inquiries or questions regarding industry published Critical Vulnerability Enumerations (CVEs) patching timelines or exposure in the product should be directed to Nutanix Support via the methods described in the Support Quick Reference Guide.

Industry recognized security researchers should report any suspected security vulnerabilities in a Nutanix product or service to Nutanix Product Security at security@nutanix.com. You can use our GPG key to communicate with us securely.

When to contact Nutanix Product Security

Nutanix Security Engineering values its relationship with security ecosystem partners and independent security researchers. If you are an industry security researcher and have findings you would like to disclose or discuss with the Nutanix Security Engineering team please contact us using the security@nutanix.com alias and if necessary encrypted with the provided GPG key.

Who reads email sent to security@nutanix.com

Only members of the Nutanix Security Engineering team, which is comprised of a small subset of security professionals within Nutanix, will have access to material and correspondence sent to the security@nutanix.com alias.

How to contact us securely

Nutanix Security Engineering offers the ability to send GPG encrypted email messages to secure email communications. Email sent to security@nutanix.com can be encrypted with the below public key and that key could change or be invalidated. Any revocation of GPG keys for the security@nutanix.com account will have an accompanying renovation notice posted on this page as well as information on the new keys.

9AA0DAB7: Nutanix Security Engineering and Research Team security@nutanix.com

This key is used for secure communication with the Nutanix Security Engineering team, and may in the future be used to sign certain announcements or advisories as needed.

Download: 9AA0DAB7

Fingerprint: 991B AB35 18CF 64E3 ABF5 6AF7 30C5 0EA4 9AA0 DAB7

We do not accept encrypted communications via any other address or support mechanism with the above key and will discard non-security related correspondence encrypted with the above key.

How we respond

Email correspondance sent to the security@nutanix.com alias will be read and acknowledged by return message within 72 hours, not including US weekends or holidays. Product support inquiries including upcoming patch timelines and CVE inclusion in a future release must be obtained by way of an official Nutanix Support ticket via the methods described in the Support Quick Reference Guide.