Vulnerability Disclosure Policy
NEC has been operating its own vulnerability information management system to respond to new vulnerabilities discovered day to day, and has been working to address them. In July 2002, NEC started working with the CERT/CC to handle vulnerability information, and since 2004, NEC has been participating in the Information Security Early Warning Partnership (*1) to promote measures against vulnerabilities that affect NEC Group products.The following sections provide an overview of vulnerability response in NEC and Group companies, contact information for vulnerabilities related to NEC group's products, information provision to customers, and notification efforts.
2. Overview of Vulnerability Response in NEC and Group Companies
NEC has established PSIRT (Product Security Incident Response Team) to handle vulnerability information on NEC group's products. PSIRT works together with NEC-CSIRT (NEC Computer Security Incident Response Team).
2-2. Collection and Sharing of New Vulnerability Information
In NEC and Group companies, PSIRT and product development divisions share vulnerability information collected through external sharing based on the Information Security Early Warning Partnership (*2) and reports from internal finders, using the vulnerability information management system.
(*2): The Information Security Early Warning Partnership Guideline is a set of recommended actions to be taken by related parties in order to realize the appropriate distribution of vulnerability information. For more details, please refer to the reference URL (*1).
2-3. Vulnerability investigation and countermeasure preparation
The product development divisions should investigate the impact of the vulnerability on the product. If there is an impact, the department will consider the countermeasure and prepare the corrective procedures, programs, and workarounds.
2-4. Information Disclosure
Information on the vulnerability response to the product is disclosed on the NEC group's Product Security Information site and JVN (*3), a portal site for vulnerability countermeasure information in Japan. Information disclosure will be made in accordance with the principle of coincidence with the release date so that it can be disclosed on the date agreed with the coordinating body (JPCERT / CC). We also disseminate security information in JVNRSS format.
3. Contacting us about vulnerabilities in NEC group's products
3-1. Contact information and information to be provided
If you find a vulnerability in NEC group's products, please contact the following address.
When contacting us, please provide the following information
- The name of the product that contains the vulnerability.
- The version of the product that contains the vulnerability.
- Type of vulnerability (buffer overflow, RCE, etc.)
- Detailed steps to reproduce the vulnerability
- Proof-of-concept code or exploit code
- Potential impact of the vulnerability
3-2. How to Contact
When contacting the NEC PSIRT Vulnerability Report Contact, we request that you use PGP encryption to securely transfer sensitive information such as customer information and product vulnerability information.
Please obtain the PGP public key from here.
|User ID||NEC-PSIRT <email@example.com>|
|Key fingerprint||12A0 3CBA 373A 2A3D F296 C2DC 46C5 8CA1 7EE7 CC8E|
Customer information and product vulnerability information provided will be managed in accordance with the NEC Personal Information Protection Policy. For details, please click here.
4. Provision of Information to Customers
NEC provides a portal to inform customers of security countermeasure information on NEC group's products. The timing of the information posted on this portal is synchronized with the posting of information on JVN.
NEC group's Product Security Information Portal
5. Notification Initiatives
In NEC and Group companies, in addition to responding to product vulnerabilities, we notify the Information Security Early Warning Partnership when common vulnerabilities are discovered during product research and development, in an effort to improve security for the entire industry.
(*1) Information Security Early Warning Partnership Guidelines
Ministry of Economy, Trade and Industry (METI) Regulations
for Handling Vulnerability Related Information on Software Products
JPCERT/CC Vulnerability Related Information Handling Guidelines
Vulnerability Countermeasure: Automatic Collection of Vulnerability
Countermeasure Information Sent by Product Developers
(*3)Japan Vulnerability Notes
The Company disclaims all warranties, express or implied, including the accuracy, usefulness and reliability of the Content and other information provided on this website (hereinafter collectively referred to as the "Content, etc."). The Company does not guarantee the accuracy, usefulness, certainty, or any other aspect of the Content, etc. (collectively, the "Content, etc."). In no event shall the Company be liable for any damages arising from the use of the Contents.The Company reserves the right to suspend or discontinue the operation of this website without notice. Also, please be aware that the Company may change or discontinue the contents of this website without prior notice.
Vulnerability Disclosure Policy is released.