Our Product Security Incident Response Team (PSIRT) manages the security vulnerability information related to our products and services, including:
- Receipt
- Investigation
- Coordination
- Disclosure
We are implementing this process to reduce risks for our customers and ensure that security vulnerabilities are identified, analyzed and resolved quickly.
The PSIRT acts as a central point of contact for external security researchers reporting vulnerabilities in our products. We define a vulnerability as a weakness in an information system that a threat agent can exploit to compromise integrity, availability or confidentiality.
Vulnerability Information Disclosure Policy
The PSIRT follows the coordinated vulnerability disclosure (CVD). External reporters can notify the PSIRT about newly discovered vulnerabilities in our products. These notifications allow us to manage the risk for our customers before the report is made public.
We disclose vulnerability information related to our products in accordance with:
- ISO/IEC 29147:2018: Information technology – Security techniques – Vulnerability disclosure
- ISO/IEC 30111:2019: Information technology – Security techniques – Vulnerability handling processes
What to Expect
- Within seven working days, PSIRT responds to the reporter. During this phase, the report is acknowledged and shared with the appropriate business units.
- Within the appropriate business units, vulnerability triage is performed.
- Once the issue is confirmed as a security vulnerability, the reporter will be notified, and a remediation plan will be created. Impact, severity and exploit complexity are considered when prioritizing remediation.
Throughout the process, the PSIRT will update the reporter as often as possible.
Our PSIRT kindly asks the reporter not to disclose any information about unresolved vulnerabilities. A CVE number will be granted for resolved security issues in our products, excluding issues found in third-party components. We do not offer monetary rewards at this time.
Third-Party Bugs
The PSIRT reserves the right to forward details of issues reported to it if they affect third-party components or external projects. Throughout this process, our PSIRT will continue to coordinate and communicate with researchers.
How to Report a Security Vulnerability
Contact us if you believe you have identified a potential vulnerability or security issue in one of our products or services.
We prefer to handle communications in English. The report should contain the following information:
- Product and version
- Descriptions of the vulnerability and impact
- Special configuration or specific scenario required to reproduce the issue
- Detailed step-by-step instructions to reproduce the issue
- Proof of concept or exploit code, if available
- Vulnerability category information:
- Our proprietary code
- Third-party component: Firmware or hardware distributed or incorporated into our product
If the reporter wishes to remain anonymous, we will respect their privacy. The PSIRT only requires a valid email to establish a communication channel. No personal information will be requested.
Guidance
You must not:
- Break any applicable law or regulations
- Access unnecessary, excessive or significant amounts of data
- Modify data in the organization’s systems or services
- Disrupt the organization’s services or systems
- Use social engineering on our employees or contractors
- Disclose the issue until it has been resolved and without our consent
- Report security best practices without a valid exploit (e.g., use of “weak” TLS ciphers, HTTP security headers)
Impact and Severity Ratings
We currently use the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to manage security vulnerabilities. The complete standard, maintained by the Forum of Incident Response and Security Teams (FIRST), can be found here.
We reserve the right to deviate from these guidelines if additional factors are not captured properly in the CVSS score.
Security Acknowledgements
PSIRT may recognize researchers under our coordinated vulnerability disclosure policy. PSIRT reserves the right to decide on a case-by-case basis.
Vulnerability Bulletins
The PSIRT releases vulnerability information in the following publications:
- Security Advisory (SA): Containing relevant vulnerability information related to our products
- Security Notice (SN): Special communication to respond to public disclosures in which the vulnerability could have received public attention or is exploited in the wild
PSIRT Security Publications
Security advisories are not a comprehensive vulnerabilities list since they are disclosed based on the CVD.
| Title | Type | Date |
| CVE-2024-3094 Linux XZ-Utils Vulnerability | SN | 2024-04-11 |
| Apache Log4j Security Vulnerability | SN | 2022-01-05 |
| Embedded TCP/IP Stacks – Amnesia:33 | SN | 2021-05-28 |
| Ripple20 | SN | 2020-08-27 |
| SIMJacker Vulnerability | SN | 2020-05-15 |
Disclaimer
All aspects of the PSIRT’s process and policies are subject to change without notice and on a case-by-case basis. A response is not guaranteed for any specific issue or class of issues.
Information is believed to be accurate and reliable when it is furnished. However, your use of the information on the document or materials linked in the document is at your own risk.
We assume no responsibility for the consequences of using such information. We reserve the right to change or update this document without notice at any time.