Splunk Product Security Policy
For specific information on our hosted services and how we secure our cloud offerings from vulnerabilities and protect customer data, visit Splunk Protects.

Splunk maintains a policy of evaluating all potential security vulnerabilities within two business days of discovery. 

If you're a customer, potential customer, or partner, to report your findings, go to the Support Portal and submit a New Case. For professional security researchers, submit to Report a Security Vulnerability.

Splunk uses the Common Vulnerability Scoring System Version 3.1 to rate and prioritize vulnerabilities. CVSSv3.1 is an industry-standard rating system for security incidents. Splunk calculates all scores using the best available analysis and metrics.

Splunk makes reasonable efforts to issue releases to mitigate or fix vulnerabilities for all applicable, supported versions. See the Splunk Software Support Policy for the list of supported versions.

Splunk releases, including maintenance and major releases, incorporate cumulative fixes for all prior vulnerabilities fixed.

For critical-risk, high-impact vulnerabilities, Splunk makes reasonable efforts to expedite maintenance releases for all affected, supported versions.

For critical-risk, high-impact vulnerabilities, Splunk makes reasonable efforts to supply patches, assuming that patches are a viable stop-gap for customers who cannot otherwise upgrade Splunk.

Splunk announces vulnerabilities at the Splunk Product Security Portal and the Splunk Product Security Announcements RSS feed.

Splunk announces security vulnerabilities publicly after releasing fixes for all affected, support versions. See the Splunk Software Support Policy for the list of supported versions.

For critical-risk, high-impact vulnerabilities, Splunk may contact customers that are especially vulnerable to recommend mitigations.

Splunk does not release the details of vulnerabilities.

Questions? Submit your question to Splunk Support.

Ask Splunk Support