1. Introduction

NEC has been operating its own vulnerability information management system to respond to new vulnerabilities discovered day to day, and has been working to address them. In July 2002, NEC started working with the CERT/CC to handle vulnerability information, and since 2004, NEC has been participating in the Information Security Early Warning Partnership (*1) to promote measures against vulnerabilities that affect NEC Group products.The following sections provide an overview of vulnerability response in NEC and Group companies, contact information for vulnerabilities related to NEC group's products, information provision to customers, and notification efforts.

2. Overview of Vulnerability Response in NEC and Group Companies

　2-1．PSIRT

NEC has established PSIRT (Product Security Incident Response Team) to handle vulnerability information on NEC group's products. PSIRT works together with NEC-CSIRT (NEC Computer Security Incident Response Team).

　2-2. Collection and Sharing of New Vulnerability Information

In NEC and Group companies, PSIRT and product development divisions share vulnerability information collected through external sharing based on the Information Security Early Warning Partnership (*2) and reports from internal finders, using the vulnerability information management system.

　2-3. Vulnerability investigation and countermeasure preparation

The product development divisions should investigate the impact of the vulnerability on the product. If there is an impact, the department will consider the countermeasure and prepare the corrective procedures, programs, and workarounds.

*We only assign CVEs to issues specific to NEC products.
*For EOL (End of Life) products, we assign CVEs but there may be cases where we do not conduct detailed investigations.

　2-4. Information Disclosure

Information on the vulnerability response to the product is disclosed on the NEC group's Product Security Information site and JVN (*3), a portal site for vulnerability countermeasure information in Japan. Information disclosure will be made in accordance with the principle of coincidence with the release date so that it can be disclosed on the date agreed with the coordinating body (JPCERT / CC). 

3. Contacting us about vulnerabilities in NEC group's products

　3-1. Contact information and information to be provided

If you find a vulnerability in NEC group's products, please contact the following address.
　Updated our email address and public key to support Sender Domain Authentication on 2022/12/9.

　　　psirt-info[@]mlsig.jp.nec.com

 When contacting us, please provide the following information
　 - The name of the product that contains the vulnerability.
 　- The version of the product that contains the vulnerability.
 　- Type of vulnerability (buffer overflow, RCE, etc.)
 　- Detailed steps to reproduce the vulnerability
 　- Proof-of-concept code or exploit code
 　- Potential impact of the vulnerability

　3-2. How to Contact

When contacting the NEC PSIRT Vulnerability Report Contact, we request that you use PGP encryption to securely transfer sensitive information such as customer information and product vulnerability information.
　Updated our email address and public key to support Sender Domain Authentication on 2022/12/9.

Please obtain the PGP public key from here.

　3-3. Privacy Policy

Customer information and product vulnerability information provided will be managed in accordance with the NEC Personal Information Protection Policy. For details, please click here.

4. Provision of Information to Customers

NEC provides a portal to inform customers of security countermeasure information on NEC group's products. The timing of the information posted on this portal is synchronized with the posting of information on JVN.

　NEC group's Product Security Information Portal
　https://jpn.nec.com/security-info/index.html

5. Notification Initiatives

In NEC and Group companies, in addition to responding to product vulnerabilities, we notify the Information Security Early Warning Partnership when common vulnerabilities are discovered during product research and development, in an effort to improve security for the entire industry.

6. References

　　(*1) Information Security Early Warning Partnership
　　https://www.ipa.go.jp/en/security/vulnerabilities/partnership.html

　　Ministry of Economy, Trade and Industry (METI) Regulations
　　for Handling Vulnerability Related Information on Software Products
 https://www.meti.go.jp/policy/netsecurity/vul_notification.pdf


　　JPCERT/CC Vulnerability Related Information Handling Guidelines
　　https://www.jpcert.or.jp/vh/top.html

　　(*3)Japan Vulnerability Notes
　　https://jvn.jp/index.html

Disclaimer
The Company disclaims all warranties, express or implied, including the accuracy, usefulness and reliability of the Content and other information provided on this website (hereinafter collectively referred to as the "Content, etc."). The Company does not guarantee the accuracy, usefulness, certainty, or any other aspect of the Content, etc. (collectively, the "Content, etc."). In no event shall the Company be liable for any damages arising from the use of the Contents.The Company reserves the right to suspend or discontinue the operation of this website without notice. Also, please be aware that the Company may change or discontinue the contents of this website without prior notice.

Update