Product Security Incident Response Team (PSIRT) 

Our Product Security Incident Response Team (PSIRT) manages the security vulnerability information related to our products and services, including:  

We are implementing this process to reduce risks for our customers and ensure that security vulnerabilities are identified, analyzed and resolved quickly.  

The PSIRT acts as a central point of contact for external security researchers reporting vulnerabilities in our products. We define a vulnerability as a weakness in an information system that a threat agent can exploit to compromise integrity, availability or confidentiality. 

Vulnerability Information Disclosure Policy

The PSIRT follows the coordinated vulnerability disclosure (CVD). External reporters can notify the PSIRT about newly discovered vulnerabilities in our products. These notifications allow us to manage the risk for our customers before the report is made public. 
 
We disclose vulnerability information related to our products in accordance with:  

What to Expect 

Throughout the process, the PSIRT will update the reporter as often as possible. 
 
Our PSIRT kindly asks the reporter not to disclose any information about unresolved vulnerabilities. A CVE number will be granted for resolved security issues in our products, excluding issues found in third-party components. We do not offer monetary rewards at this time.  

Third-Party Bugs 

The PSIRT reserves the right to forward details of issues reported to it if they affect third-party components or external projects. Throughout this process, our PSIRT will continue to coordinate and communicate with researchers. 

How to Report a Security Vulnerability

Contact us if you believe you have identified a potential vulnerability or security issue in one of our products or services. 

We prefer to handle communications in English. The report should contain the following information: 

If the reporter wishes to remain anonymous, we will respect their privacy. The PSIRT only requires a valid email to establish a communication channel. No personal information will be requested. 

Guidance 

You must not: 

Impact and Severity Ratings 

We currently use the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to manage security vulnerabilities. The complete standard, maintained by the Forum of Incident Response and Security Teams (FIRST), can be found here

We reserve the right to deviate from these guidelines if additional factors are not captured properly in the CVSS score. 

Security Acknowledgements 

PSIRT may recognize researchers under our coordinated vulnerability disclosure policy. PSIRT reserves the right to decide on a case-by-case basis. 

Vulnerability Bulletins 

The PSIRT releases vulnerability information in the following publications: 

PSIRT Security Publications 

Security advisories are not a comprehensive vulnerabilities list since they are disclosed based on ​the CVD. 

Title Type Date 
Apache Log4j Security Vulnerability SN 2022-01-05 
Embedded TCP/IP Stacks – Amnesia:33 SN 2021-05-28 
Ripple20 SN 2020-08-27 
SIMJacker Vulnerability SN 2020-05-15 

Disclaimer 

All aspects of the PSIRT’s process and policies are subject to change without notice and on a case-by-case basis. A response is not guaranteed for any specific issue or class of issues.  

Information is believed to be accurate and reliable when it is furnished. However, your use of the information on the document or materials linked in the document is at your own risk.  

We assume no responsibility for the consequences of using such information. We reserve the right to change or update this document without notice at any time.