Security is paramount in building customer trust and confidence. Everpure's products and services are developed using security-by-design principles.
We have established a robust Product Security and Incident Response Team (PSIRT) to investigate, respond, and communicate security vulnerabilities impacting our products and cloud services. This policy outlines our approach to handling and responding to security incidents to protect our customers and maintain the integrity of our products.
Reporting Security Vulnerabilities
Potential vulnerabilities or incidents impacting Everpure's products or services can be reported to psirt@purestorage.com. We highly encourage sending us a secure email using our Contact Pure Security page.
Pure's Product Security & Incident Response Team (PSIRT) will receive and promptly investigate the reported vulnerabilities. The response timelines may vary on factors such as scope, complexity, severity and impact. If the vulnerability is determined to be valid, it will be prioritized based on the impact, likelihood and exploitability of the reported vulnerability.
Please refer to the Vulnerability Reporting and Disclosure Policy for additional information about Responsible Disclosure, Safe Harbor and Bug Bounty Program
How Everpure Scores Vulnerabilities
Everpure uses industry standard Common Vulnerability Scoring System (CVSS 4.0) to assess and determine the vulnerability score. The following criteria must be met for scoring vulnerabilities:
-
Must be a valid vulnerability in Everpure maintained code.
-
The vulnerability must exist in supported versions of the products.
Everpure’s vulnerability scoring is aligned with standards defined by Forum of Incident Response and Security Teams (FIRST.org). Refer to the table below:
|
CVSS Score |
Severity |
|---|---|
|
9.0 - 10.0 |
Critical |
|
7.0 - 8.9 |
High |
|
4.0 - 6.9 |
Medium |
|
0.1 - 3.9 |
Low |
Vulnerability Remediation
-
Pure may release a security patch/bundle along with fixed releases For critical/high vulnerabilities. The determination as to whether multiple fixes will be included in a patch/bundle is based on the security vulnerability impact and potential exploitability.
-
A security bundle addresses multiple vulnerabilities, whereas a patch is meant to address only one vulnerability in the product(s).
-
Patch/Bundles will be made available only for active release software versions. End Of Life (EOL) software versions will not receive a patch. Instead, customers using End Of Life (EoL) software versions will be required to upgrade either to an active release software version (i.e. not EoL), or to a fixed software version.
Note: Upgrading to an active release software version that does not contain required security vulnerability fixes would still require the adoption of self-service opt-in patch application). Similarly, customers with arrays that do not phone home (i.e. Dark Assets) will be required to upgrade to a fixed software version. Manual application of security vulnerability patches is not supported for non-phone home (Dark Assets). -
A cumulative bundle includes fixes from previous security vulnerability patches, and is intended to reduce the burden on customers from being required to apply multiple patches. When a cumulative bundle is released, if it incorporates a security vulnerability fix available from a previous security patch, we will deprecate the previous security patch. Customers may then apply the latest cumulative bundle to address multiple security vulnerabilities.
-
Any exception to this policy must be reviewed and approved by PSIRT.
Security Bulletins & Advisories
Everpure will disclose security vulnerabilities and appropriate mitigations through our security bulletins and advisories/notices. The security bulletins will include at a minimum the following information:
-
Description of the vulnerability
-
Impacted products
-
Fixed versions
-
CVSS score and Vectors
-
Remediation information including workaround (if applicable)
Customers can view a more comprehensive list of vulnerabilities in Pure's CVE Database.
On a case-by-case basis, Pure may publish a security bulletin to acknowledge a publicly known security vulnerability, and to provide guidance regarding when (or where) additional information will be available. Security advisories/notices may also be published for security related events and its impact on Pure products.
Pure may on occasion also determine that based on the scope, impact, and affected install base of a security vulnerability, email notification may also be required to alert our customers of critical vulnerabilities that require immediate attention inline with our privacy policy.
Pure may publish security related articles to share information about security-related topics such as:
-
Release of new security hardening features;
-
Security configuration guides and best practices;
-
Security vulnerabilities in third-party components, identified by vulnerability scanning tools but which are not exploitable from within the specified product;
-
Product certifications.
The above information can be found in Security Resources and Certifications.
The following table identities how Everpure provides customer facing information regarding security vulnerabilities.
|
CVSS Score |
Severity |
Bulletin |
Advisory |
Release Notes |
|---|---|---|---|---|
|
9.0 - 10.0 |
Critical |
Yes |
Yes |
Yes |
|
7.0 - 8.9 |
High |
As Needed |
Yes |
Yes |
|
4.0 - 6.9 |
Medium |
As Needed |
As Needed |
Yes |
|
0.1 - 3.9 |
Low |
As Needed |
As Needed |
Yes |
Pure security bulletins and advisories are available at https://purestorage.com/security.
Release note details can be found at FlashArray Release Center, FlashBlade Release Center, and //Portworx Release Notes.
End of Life Policy
All Pure Products and services are subject to Pure's End-of-Product Lifecycle. For additional information, please see the End of Product Life Cycle and Upgrade Policy in Everpure End User License Agreement (EULA).
Customers can navigate to the End-of-Product Lifecycle Overview for information on Pure’s software and hardware lifecycle including end-of-life dates.
Flash Array End of Product Life Cycle (EOL):
| Release Line | Release Type1 | Original Release Date | Field Qualification2 | Latest Version | End-of-Life (EOL) Date | Hardware Platforms Supported |
|---|---|---|---|---|---|---|
| 6.12 | FR | Jun 2026 | GA | 6.12.0 | Jan 2027 (Planned) | FA//X (R4, R5), FA//C (R4, R5), FA//XL (R1, R5), FA//E, FA//RC20, FA//ST (R1, R5), and Everpure Cloud Dedicated (Azure, AWS) |
| 6.10 | FR | Aug 2025 | GA | 6.10.6 | May 2026 | FA//X (R3, R4, R5), FA//C (R3, R4, R5), FA//XL (R1, R5), FA//E, FA//RC20, and |
| 6.9 | LLR | Jul 2025 | ER (Effective 6.9.2) | 6.9.6 | Jun 2028 (Planned) | FA//X (R3, R4, R5), FA//C (R3, R4, R5), FA//XL (R1, R5), FA//E, FA//RC20, and |
| 6.8 | FR | Oct 2024 | EOL | 6.8.9 (Last) | Jul 2025 | FA//X (R3, R4), FA//C (R3, R4), FA//XL (R1, R5), FA//E, FA//RC20, and |
| 6.7 | LLR | Nov 2024 | GA | 6.7.8 | Oct 2027 (Planned) | FA//X (R2, R3, R4), FA//C (R1, R3, R4), FA//XL (R1), FA//E, and (only through 6.7.7) |
| 6.6 | FR | Oct 2023 | EOL | 6.6.11 (Last) | Sep 2024 | FA//X (R2, R3, R4), FA//C, FA//XL, FA//E, and |
| 6.5 | LLR | Oct 2023 | ER (Effective 6.5.3) | 6.5.13 | Sep 2026 (Planned) | FA//M (R2), FA//X, FA//C, FA//XL, and (only through 6.5.8) |
| 6.4 | FR | Nov 2022 | EOL | 6.4.10 (Last) | Oct 2024 | FA//M (R1, R2), FA//X (R1, R2, R3), FA//C (R2, R3), FA//XL, FA//X and C R4 (effective 6.4.10), and |
| 6.3 | LLR | Apr 2022 | EOL | 6.3.21 (Last) | Mar 2025 | FA//M (R1, R2), FA//X (R1, R2, R3), FA//C (R2, R3), FA//XL |
| 6.2 | SR | Sep 2021 | EOL | 6.2.16 (Last) | May 2023 | |
| 6.1 | LLR | Dec 2020 | EOL | 6.1.25 (Last) | Apr 2024 | |
| 6.0 | SR | Jun 2020 | EOL | 6.0.8 (Last) | Feb 2022 | |
| 5.3 | LLR | Aug 2019 | EOL | 5.3.21 (Last) | Aug 2022 | |
| 5.2 | SR | Jan 2019 | EOL | 5.2.7 (Last) | Jan 2021 | |
| 5.1 | LLR | May 2018 | EOL | 5.1.17 (Last) | Feb 2021 | |
| 5.0 | SR | Dec 2017 | EOL | 5.0.8 (Last) | Dec 2018 | |
| 4.10 | LLR | Apr 2017 | EOL | 4.10.13 (Last) | Feb 2021 |
Flash Blade End of Product Life Cycle (EOL):
|
Release |
Release Notes |
Release Type |
First Published |
End-of-Life Date |
|---|---|---|---|---|
| 4.8.x Release Timeline | 4.8 Release Notes |
FR |
March 2026 |
Q4 2026 |
| 4.7 Release Notes |
LLR |
May 2026 |
April 2029 | |
| 4.6 Release Notes |
FR/EOL |
June 2025 |
Q1 2026 | |
| 4.5 Release Notes |
LLR/ER |
August 2024 |
Q2 2028 | |
| 4.4 Release Notes |
SR/EOL |
March 2024 |
December 31, 2025 | |
| 4.3 Release Notes |
LLR/EOL |
September 2023 |
December 31, 2025 | |
| 4.2 Release Notes |
SR/EOL |
April 2023 |
April 30, 2024 | |
| 4.1 Release Notes |
LLR/EOL |
January 2023 |
March 31, 2025 | |
| 4.0 Release Notes |
SR/EOL |
June 2022 |
March 31, 2025 | |
| 3.3 Release Notes |
LLR/EOL |
December 2021 |
December 20, 2023 | |
| 3.2 Release Notes |
SR/EOL |
March 2021 |
December 7, 2022 | |
| 3.1 Release Notes |
LLR/EOL |
October 2020 |
June 30, 2023 | |
| 3.0 Release Notes |
SR/EOL |
February 2020 |
June 30, 2021 | |
| 2.4 Release Notes |
LLR/EOL |
May 2019 |
October 31, 2021 |
Please see FlashArray Hardware and End Of Support and FlashBlade Hardware and End of Support for Hardware/Purity compatibility.
We recommend that customers review our Product Release Notes for guidance on known fixed issues by release:
We also recommend for customers to stay up-to-date with the latest software to ensure they benefit from the security improvements and vulnerability fixes. Features such as Self-service Upgrade (SSU) are now available in certain Purity versions to make the upgrade process streamlined and efficient.
Purity Self-Service Upgrades for FlashArray™ Video Course is now available for Pure employees.
-
SR - Standard Release: The release line is active for 12-18 months from the first GA release. (Deprecated for FA.)
-
FR - Feature Release: A release line where active development of new product features and capabilities takes place.
-
LLR - Long-Life Release: A maintenance release line where minimizing feature change is the goal and only bug fixes and security updates are included. The release line is active for 24-36 months from the first GA release.
-
GA - General Availability: A release version that has passed internal quality and regression testing and is supported for customer use.
-
ER - Enterprise Ready: A LLR release version following the demonstration of sufficient accumulated runtime data to be recommended for critical customer workloads.
-
EOL - End-of-Life: A release line that has come to the end of the development lifecycle and is no longer being maintained, which means that will no longer release bug fixes, security updates, or firmware upgrades for that line.