Japan

関連リンク

関連リンク

関連リンク

関連リンク

サイト内の現在位置

Vulnerability Disclosure Policy

1. Introduction

NEC has been operating its own vulnerability information management system to respond to new vulnerabilities discovered day to day, and has been working to address them. In July 2002, NEC started working with the CERT/CC to handle vulnerability information, and since 2004, NEC has been participating in the Information Security Early Warning Partnership (*1) to promote measures against vulnerabilities that affect NEC Group products.The following sections provide an overview of vulnerability response in NEC and Group companies, contact information for vulnerabilities related to NEC group's products, information provision to customers, and notification efforts.

2. Overview of Vulnerability Response in NEC and Group Companies

 2-1.PSIRT

NEC has established PSIRT (Product Security Incident Response Team) to handle vulnerability information on NEC group's products. PSIRT works together with NEC-CSIRT (NEC Computer Security Incident Response Team).

 2-2. Collection and Sharing of New Vulnerability Information

In NEC and Group companies, PSIRT and product development divisions share vulnerability information collected through external sharing based on the Information Security Early Warning Partnership (*2) and reports from internal finders, using the vulnerability information management system.


(*2): The Information Security Early Warning Partnership Guideline is a set of recommended actions to be taken by related parties in order to realize the appropriate distribution of vulnerability information. For more details, please refer to the reference URL (*1).

 2-3. Vulnerability investigation and countermeasure preparation

The product development divisions should investigate the impact of the vulnerability on the product. If there is an impact, the department will consider the countermeasure and prepare the corrective procedures, programs, and workarounds.

*We only assign CVEs to issues specific to NEC products.
*For EOL (End of Life) products, we assign CVEs but there may be cases where we do not conduct detailed investigations.

 2-4. Information Disclosure

Information on the vulnerability response to the product is disclosed on the NEC group's Product Security Information site and JVN (*3), a portal site for vulnerability countermeasure information in Japan. Information disclosure will be made in accordance with the principle of coincidence with the release date so that it can be disclosed on the date agreed with the coordinating body (JPCERT / CC). 

3. Contacting us about vulnerabilities in NEC group's products

 3-1. Contact information and information to be provided

If you find a vulnerability in NEC group's products, please contact the following address.
 Updated our email address and public key to support Sender Domain Authentication on 2022/12/9.

NEC PSIRT Vulnerability Report Contact:

   psirt-info[@]mlsig.jp.nec.com

 When contacting us, please provide the following information
  - The name of the product that contains the vulnerability.
  - The version of the product that contains the vulnerability.
  - Type of vulnerability (buffer overflow, RCE, etc.)
  - Detailed steps to reproduce the vulnerability
  - Proof-of-concept code or exploit code
  - Potential impact of the vulnerability

 3-2. How to Contact

When contacting the NEC PSIRT Vulnerability Report Contact, we request that you use PGP encryption to securely transfer sensitive information such as customer information and product vulnerability information.
 Updated our email address and public key to support Sender Domain Authentication on 2022/12/9.


Please obtain the PGP public key from here.

 
Key ID 286E43CB
Type RSA
Size 4096
Creation date 2022-12-05
Expiration date 2025-12-09
User ID NEC-PSIRT <psirt-info@mlsig.jp.nec.com>
Key fingerprint 0564 4C17 F74A 3825 36E4 0603 4ABF 9CC9 286E 43CB

 3-3. Privacy Policy

Customer information and product vulnerability information provided will be managed in accordance with the NEC Personal Information Protection Policy. For details, please click here.

4. Provision of Information to Customers

NEC provides a portal to inform customers of security countermeasure information on NEC group's products. The timing of the information posted on this portal is synchronized with the posting of information on JVN.

 NEC group's Product Security Information Portal

 https://jpn.nec.com/security-info/index.html

5. Notification Initiatives

In NEC and Group companies, in addition to responding to product vulnerabilities, we notify the Information Security Early Warning Partnership when common vulnerabilities are discovered during product research and development, in an effort to improve security for the entire industry.

6. References

  (*1) Information Security Early Warning Partnership
  https://www.ipa.go.jp/en/security/vulnerabilities/partnership.html

   

  Ministry of Economy, Trade and Industry (METI) Regulations
  for Handling Vulnerability Related Information on Software Products
 https://www.meti.go.jp/policy/netsecurity/vul_notification.pdf


  JPCERT/CC Vulnerability Related Information Handling Guidelines
  https://www.jpcert.or.jp/vh/top.html

 

  (*3)Japan Vulnerability Notes
  https://jvn.jp/index.html

Disclaimer
The Company disclaims all warranties, express or implied, including the accuracy, usefulness and reliability of the Content and other information provided on this website (hereinafter collectively referred to as the "Content, etc."). The Company does not guarantee the accuracy, usefulness, certainty, or any other aspect of the Content, etc. (collectively, the "Content, etc."). In no event shall the Company be liable for any damages arising from the use of the Contents.
The Company reserves the right to suspend or discontinue the operation of this website without notice. Also, please be aware that the Company may change or discontinue the contents of this website without prior notice.

Update

2024/12/26
Update 3-2.
2024/05/09
Update 2-3.
2022/12/09
Update a email address and public key.
2021/02/03
Vulnerability Disclosure Policy is released.
Escキーで閉じる 閉じる