Our Product Security Incident Response Team (PSIRT) manages the security vulnerability information related to our products and services, including:
We are implementing this process to reduce risks for our customers and ensure that security vulnerabilities are identified, analyzed and resolved quickly.
The PSIRT acts as a central point of contact for external security researchers reporting vulnerabilities in our products. We define a vulnerability as a weakness in an information system that a threat agent can exploit to compromise integrity, availability or confidentiality.
The PSIRT follows the coordinated vulnerability disclosure (CVD). External reporters can notify the PSIRT about newly discovered vulnerabilities in our products. These notifications allow us to manage the risk for our customers before the report is made public.
We disclose vulnerability information related to our products in accordance with:
Throughout the process, the PSIRT will update the reporter as often as possible.
Our PSIRT kindly asks the reporter not to disclose any information about unresolved vulnerabilities. A CVE number will be granted for resolved security issues in our products, excluding issues found in third-party components. We do not offer monetary rewards at this time.
The PSIRT reserves the right to forward details of issues reported to it if they affect third-party components or external projects. Throughout this process, our PSIRT will continue to coordinate and communicate with researchers.
Contact us if you believe you have identified a potential vulnerability or security issue in one of our products or services.
We prefer to handle communications in English. The report should contain the following information:
If the reporter wishes to remain anonymous, we will respect their privacy. The PSIRT only requires a valid email to establish a communication channel. No personal information will be requested.
You must not:
We currently use the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to manage security vulnerabilities. The complete standard, maintained by the Forum of Incident Response and Security Teams (FIRST), can be found here.
We reserve the right to deviate from these guidelines if additional factors are not captured properly in the CVSS score.
PSIRT may recognize researchers under our coordinated vulnerability disclosure policy. PSIRT reserves the right to decide on a case-by-case basis.
The PSIRT releases vulnerability information in the following publications:
Security advisories are not a comprehensive vulnerabilities list since they are disclosed based on the CVD.
|Apache Log4j Security Vulnerability
|Embedded TCP/IP Stacks – Amnesia:33
All aspects of the PSIRT’s process and policies are subject to change without notice and on a case-by-case basis. A response is not guaranteed for any specific issue or class of issues.
Information is believed to be accurate and reliable when it is furnished. However, your use of the information on the document or materials linked in the document is at your own risk.
We assume no responsibility for the consequences of using such information. We reserve the right to change or update this document without notice at any time.