サイト内の現在位置

Vulnerability Disclosure Policy

1. Introduction

NEC has been operating its own vulnerability information management system to respond to new vulnerabilities discovered day to day, and has been working to address them. In July 2002, NEC started working with the CERT/CC to handle vulnerability information, and since 2004, NEC has been participating in the Information Security Early Warning Partnership (*1) to promote measures against vulnerabilities that affect NEC Group products.The following sections provide an overview of vulnerability response in NEC and Group companies, contact information for vulnerabilities related to NEC group's products, information provision to customers, and notification efforts.

2. Overview of Vulnerability Response in NEC and Group Companies

 2-1.PSIRT

NEC has established PSIRT (Product Security Incident Response Team) to handle vulnerability information on NEC group's products. PSIRT works together with NEC-CSIRT (NEC Computer Security Incident Response Team).

 2-2. Collection and Sharing of New Vulnerability Information

In NEC and Group companies, PSIRT and product development divisions share vulnerability information collected through external sharing based on the Information Security Early Warning Partnership (*2) and reports from internal finders, using the vulnerability information management system.


(*2): The Information Security Early Warning Partnership Guideline is a set of recommended actions to be taken by related parties in order to realize the appropriate distribution of vulnerability information. For more details, please refer to the reference URL (*1).

 2-3. Vulnerability investigation and countermeasure preparation

The product development divisions should investigate the impact of the vulnerability on the product. If there is an impact, the department will consider the countermeasure and prepare the corrective procedures, programs, and workarounds.

 2-4. Information Disclosure

Information on the vulnerability response to the product is disclosed on the NEC group's Product Security Information site and JVN (*3), a portal site for vulnerability countermeasure information in Japan. Information disclosure will be made in accordance with the principle of coincidence with the release date so that it can be disclosed on the date agreed with the coordinating body (JPCERT / CC). We also disseminate security information in JVNRSS format.

3. Contacting us about vulnerabilities in NEC group's products

 3-1. Contact information and information to be provided

If you find a vulnerability in NEC group's products, please contact the following address.

NEC PSIRT Vulnerability Report Contact:

   psirt-info@cyber.jp.nec.com

 When contacting us, please provide the following information
  - The name of the product that contains the vulnerability.
  - The version of the product that contains the vulnerability.
  - Type of vulnerability (buffer overflow, RCE, etc.)
  - Detailed steps to reproduce the vulnerability
  - Proof-of-concept code or exploit code
  - Potential impact of the vulnerability

 3-2. How to Contact

When contacting the NEC PSIRT Vulnerability Report Contact, we request that you use PGP encryption to securely transfer sensitive information such as customer information and product vulnerability information.


Please obtain the PGP public key from here.

 
Key ID 7EE7CC8E
Type RSA
Size 4096
Creation date 2020-12-16
Expiration date 2023-12-18
User ID NEC-PSIRT <psirt-info@cyber.jp.nec.com>
Key fingerprint 12A0 3CBA 373A 2A3D F296  C2DC 46C5 8CA1 7EE7 CC8E

 3-3. Privacy Policy

Customer information and product vulnerability information provided will be managed in accordance with the NEC Personal Information Protection Policy. For details, please click here.

4. Provision of Information to Customers

NEC provides a portal to inform customers of security countermeasure information on NEC group's products. The timing of the information posted on this portal is synchronized with the posting of information on JVN.

 NEC group's Product Security Information Portal

 https://jpn.nec.com/security-info/index.html

5. Notification Initiatives

In NEC and Group companies, in addition to responding to product vulnerabilities, we notify the Information Security Early Warning Partnership when common vulnerabilities are discovered during product research and development, in an effort to improve security for the entire industry.

6. References

  (*1) Information Security Early Warning Partnership Guidelines
  https://www.ipa.go.jp/security/ciadr/partnership_guide.html

   

  Ministry of Economy, Trade and Industry (METI) Regulations
  for Handling Vulnerability Related Information on Software Products
 http://www.meti.go.jp/policy/netsecurity/vul_notification.pdf


  JPCERT/CC Vulnerability Related Information Handling Guidelines
  https://www.jpcert.or.jp/vh/top.html

 

  Vulnerability Countermeasure: Automatic Collection of Vulnerability
  Countermeasure Information Sent by Product Developers
  https://www.ipa.go.jp/security/vuln/jvnrss.html

 

  (*3)Japan Vulnerability Notes
  https://jvn.jp/index.html

Disclaimer
The Company disclaims all warranties, express or implied, including the accuracy, usefulness and reliability of the Content and other information provided on this website (hereinafter collectively referred to as the "Content, etc."). The Company does not guarantee the accuracy, usefulness, certainty, or any other aspect of the Content, etc. (collectively, the "Content, etc."). In no event shall the Company be liable for any damages arising from the use of the Contents.
The Company reserves the right to suspend or discontinue the operation of this website without notice. Also, please be aware that the Company may change or discontinue the contents of this website without prior notice.

Update

2021/02/03
Vulnerability Disclosure Policy is released.