Pentair Responsible Disclosure Program
Mission
Pentair is committed to its Win Right Values. Part of living our Win Right Values is a commitment to the security of our products, technology, customers, and employees. Pentair recognizes and values the work of security researchers in identifying potential security vulnerabilities. Accordingly, Pentair has adopted this Responsible Disclosure Program (the “Program”) to encourage security researchers to contribute to our ongoing security efforts by responsibly detecting and reporting potential vulnerabilities.
Scope of the Program
In principle, this Program covers all Pentair products and services excluding any third-party provided network components, like cloud service providers. The Program includes, for example:
- All websites including pentair.com, pentairaes.com, pelicanwater.com
- All current connected products (excluding the cloud connection and cloud storage)
- All mobile applications
See “Out of Scope” List below for products, services, and vulnerabilities excluded from the Program
Performance of Research
To comply with the Program, security researchers disclosing potential vulnerabilities must do so in accordance with the following:
- You must not compromise public safety;
- You must not use information owned by a third party in your Report;
- You must not make use of or exploit any vulnerability;
- You must not download, export or store Pentair’s data under any circumstances;
- You must not disrupt others’ use of Pentair products or services;
- You must not use accounts that are not your own;
- You must not violate any applicable local, state, national, or international law;
- You must not cause any data privacy violations;
- You must not cause any intellectual property violations; and
Specifically,, the following activities are prohibited:
- Denial of Service (DoS) attacks against Pentair, its products, or any of its third-party providers;
- Social engineering or phishing to solicit login passwords or credentials from Pentair employees, contractors, or third-parties;
- Physical attacks against Pentair employees, offices, or data centers;
- Knowing distribution of any malware; and
- Using unsolicited bulk messaging (spam) to pursue any vulnerabilities.
Report Submission and Review
- To participate you must submit a potential vulnerability report to Pentair (the “Report”) via email at ResponsibleDisclosure@Pentair.com.
- Upon successful submission of your Report you will receive a confirmation of receipt from us.
- After we receive your Report, we will review. Please allow us a reasonable period of time to investigate your Report and confirm the situation. We will keep you reasonably informed about the status of any vulnerability you reported through the Program that we have validated.
- Pentair is not responsible for any Reports that it does not receive.
What to Include in Your Report
A detailed, well-written Report will help us to assess the situation more quickly. To facilitate review, please include a detailed description of the potential vulnerabilities such that we are able to reproduce and correct any issues and include the targets, tools, process, artifacts, etc. used in discovery. Submissions of screenshots are welcome.
Disclosure
We are committed to responding to all Reports in a timely manner. In return for our commitment to respond to all Reports, to qualify under this Program, you must not disclose any of the contents of a Report or the fact that you submitted a Report to anyone outside of Pentair. After Pentair communicates to you that it has completed its review of the Report, you may request the ability to disclose the contents of your Report to third parties. In reviewing all such requests, Pentair in its sole discretion, will make all determinations Your Eligibility to Participate
To participate in this Program you must:
- Have read and agree to this Program;
- Be at least 18 years of age;
- Participate in the Program in your individual capacity or with the permission of the organization that employs you.
To participate in this Program, you must not be:
- On a sanctions list or in a country on a sanctions list (e.g. Cuba, Iran, North Korea, Sudan, or Syria);
- Prohibited or limited from participating in the Program by any applicable law;
- Employed by Pentair and its affiliates, currently or in the past year; or
- A contributing author of the code that is the subject of your Report.
If you violate any provision of these representations, you will be automatically disqualified from this Program.
Legal
- Pentair, in its sole discretion, may modify or discontinue the Program at any time.
- Pentair, in its sole discretion, may disqualify any security researcher from this Program at any time.
- Pentair may pursue legal action against any criminal or unlawful activity at any time.
- This Program does not make you an employee or a contractor of Pentair, and you are responsible for any taxes or additional restrictions based on your national and local laws.
Contact Information
If you have any inquiries regarding the Program, please contact us at ResponsibleDisclosure@Pentair.com.
Out of Scope
The following products, services, and vulnerabilities are outside the scope of this Program:
- Products and services no longer produced, maintained, or sold by Pentair, including outdated or unpatched applications, services, software, firmware;
- Third-party websites or services, including third party software incorporated in Pentair applications;
- Bugs that simply cause an app to crash;
- Attacks against Pentair infrastructure;
- Attacks requiring physical access to a user's mobile device;
- Network Provisioning errors;
- Violation of licenses or other restrictions applicable to any vendor's product;
- Security bugs in third-party applications (e.g. java, plugins) or websites;
- Host header injections (unless you can show how they could lead to a data loss);
- Self-XSS (User defined payload);
- Login/logout CSRF;
- Use of a known-vulnerable library (without evidence of exploitability);
- Vulnerabilities affecting users of outdated browsers or platforms;
- Vulnerabilities which require a jailbroken or rooted mobile device;
- Previously reported vulnerabilities unless some additional information is reported in the subsequent Report;
- Recent acquisitions for the first six (6) months after acquisition to give Pentair time to internally review and mitigate any issues; and
- Vulnerabilities that present negligible security impact or are exploited to conduct a malicious attack against Pentair. Common examples may include, but are not limited to, the following:
- Vulnerabilities were discovered by conducting an attack against Pentair employees, clients and/or partners, or referring to social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials);
- Vulnerabilities which require a rooted or jailbroken movable device;
- Vulnerabilities within Pentair’s lab, staging environments or sandbox;
- System vulnerabilities irrelevant to security issues.
Thank you for your interest in making Pentair and its products more secure.