Nutanix Corporate Security Program

Our security program consists of a risk-based approach that includes administrative, technical and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Nutanix classified, customer, and partner data. Nutanix's information security program is aligned to the ISF Standard of Good Practice, ISO 27001/2, ISO 27017, ISO 27018, and includes key controls from SOC2.

The Corporate IT Governance, Risk & Compliance (GRC) team establishes policies, provides security governance, evaluates risk, and monitors compliance with the security program and policy.

The Corporate IT Security Engineering team establishes security requirements, implements security solutions, and designs maintenance processes and maintains security technologies consumed by the Information Security organization.

The Corporate IT Security Operations team performs security monitoring, responds to security event and incidents, manages security incidents throughout their lifecycle, and automates security operational processes whenever possible.

Security Certifications

Responsible Disclosure Program

Industry recognized security researchers should report any suspected security vulnerabilities in a Nutanix product or service to Nutanix Product Security at hackerone.com/nutanix.

Nutanix takes security very seriously, and we aim to take immediate action to address serious security related problems that involve our products or services. Nutanix customers should contact support for inquiries or questions regarding industry published Critical Vulnerability Enumerations (CVEs) patching timelines or exposure in the product should be directed to Nutanix Support via the methods described in the Support Quick Reference Guide.

When to contact Nutanix Product Security

Nutanix Security Engineering values its relationship with security ecosystem partners and independent security researchers. If you are an industry security researcher and have findings you would like to disclose or discuss with the Nutanix Security Engineering team please contact us using hackerone.com/nutanix.

Who responds to findings at hackerone.com/nutanix

Only members of the Nutanix Security Engineering team, which is comprised of a small subset of security professionals within Nutanix, will have access to material and correspondence sent to this location.

9AA0DAB7: Nutanix Security Engineering and Research Team security@nutanix.com

This key is used for secure communication with the Nutanix Security Engineering team, and may in the future be used to sign certain announcements or advisories as needed.

Download: 9AA0DAB7

Fingerprint: 991B AB35 18CF 64E3 ABF5 6AF7 30C5 0EA4 9AA0 DAB7

We do not accept encrypted communications via any other address or support mechanism with the above key and will discard non-security related correspondence encrypted with the above key.

How we respond

Email correspondance sent to the security@nutanix.com alias will be read and acknowledged by return message within 72 hours, not including US weekends or holidays. Product support inquiries including upcoming patch timelines and CVE inclusion in a future release must be obtained by way of an official Nutanix Support ticket via the methods described in the Support Quick Reference Guide.

 

For other issues, you can contact us at security@nutanix.com.