Snowflake Common Vulnerabilities and Exposures (CVE) Policy

The Common Vulnerabilities and Exposures (CVE) Program aims to identify and catalog publicly disclosed cybersecurity vulnerabilities. These vulnerabilities are defined as weaknesses that can be exploited to negatively affect confidentiality, integrity, or availability; or as conditions or behaviors that enable the violation of an explicit or implicit security policy. Snowflake publishes CVEs to help our customers track and address vulnerabilities to strengthen their security posture, to promote responsible vulnerability disclosures within the cybersecurity community, and to support our ongoing efforts to defend against emerging cyber threats.

Snowflake is committed to cybersecurity transparency and awareness for our customers. To aid that resolution, Snowflake will publish CVE reports, and may publish accompanying release notes, for certain vulnerabilities found in the Snowflake product, including user-downloadable software and source code published and maintained by Snowflake. Additionally, the following factors will be considered:

• Customer impact/harm
• Customer action required
• Industry-wide vulnerabilities
• Assessment of Common Vulnerability Scoring System (CVSS) criteria

Vulnerabilities for which a CVE is published typically require Snowflake’s customers to proactively update the affected software. Snowflake strongly recommends that customers apply all updates as soon as possible. Snowflake only publishes CVEs for software and code that is developed or redistributed by us through open source channels. Any software built or modified by third parties, and made available outside of open source channels, falls outside of Snowflake’s responsibility under this policy. 

Snowflake’s published CVEs are available at CVE.org. 

Snowflake’s policy for responsible vulnerability disclosure is a key component of our ongoing commitment to robust and transparent cybersecurity. This aligns with our dedication to the Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design Pledge and and supports the maturation of our Shared Responsibility Model, which helps customers more effectively share security responsibilities. If you have any questions, please contact Snowflake Support or your account team.