安全警告
The Alcatel-Lucent Enterprise Product 安全 Incident Response Team (ALE PSIRT) is dedicated to managing requests, investigating 和 reporting vulnerabilities or technical issues impacting our products 和 solutions.
我们了解安全产品和解决方案对客户的重要性. It is our goal to ensure that Alcatel-Lucent Enterprise products are developed with all the appropriate security principles at the foundation. 我们遵循全面的安全计划,其中包括:
- 确保软件开发的最佳实践、过程和工具
- 严格的产品安全要求
- 发布前的定期验证和质量安全测试
尽管有这些安全原则和相关的操作, 漏洞可以在产品软件组件中被发现, 当利用, can have an impact on the security level of the products once deployed in a customer's networks.
产品安全事件响应流程总结
- ALE PSIRT收到安全警报或报告(业务伙伴、客户、……)发送一个在 漏洞汇总报告 (VSR)至ALE PSIRT (PSIRT@pylock.com).
- ALE PSIRT向报告者确认收到了VSR.
- The ALE PSIRT analyses the relevancy of the vulnerability in ALE context in terms of if t在这里 is a risk for ALE products. A 漏洞分析报告 (VAR)是在内部漏洞管理SharePoint中创建的. The VAR will be the reference for the ALE PSIRT to follow the analysis as it advances through the process. 对漏洞的严重性进行重新评估 通用漏洞评分系统版本3.1计算器.
- The ALE PSIRT notifies the Vulnerabilities Analysis Team (the PSP 和 the PSS) about the VAR.
- Product 安全 Prime完成VAR, 用于标识产品的漏洞状态. T在这里 may be multiple steps required that provide temporary steps to address the problem (through configuration, 施加限制, 或者找到一个变通方法), 在找到最终解决方案之前.
- The reporter will be informed, on a regular basis, about the ongoing vulnerability investigation. Most notably, the ALE PSIRT will communicate the conclusion of the analysis to the reporter.
- 如果有任何影响被确认, 当有补救措施时, ALE PSIRT将协调修复和影响评估, 和定义, 与产品线团队一起, 决议交付时间框架, 通知计划及向公共机构(如mitre)披露.org和CERT组织. 当有足够的信息可以交流时, 安全咨询委员会将要求创建或更新 安全咨询 (SA).
- ALE PSIRT将在ALE PSIRT网站上发布SA, 通知外部ALE相关方,如合作伙伴和客户.
- The ALE PSIRT mailing list subscribers receive notification about the published SA. 任何人都可以从ALE PSIRT网站订阅邮件列表.
- Anyone interested can go to the ALE PSIRT web site 和 read the 安全警告.
如何报告可疑的安全漏洞
Individuals or organisations experiencing technical security issues with an ALE product or solution are strongly encouraged to report the issues by contacting the ALE PSIRT using following these steps:
- 完成 漏洞摘要报告(VSR).
- 将完成的报告发送至以下邮箱: PSIRT@pylock.com
- 出于保密原因,请考虑使用ALE PGP公钥
The ALE PSIRT process will be followed while maintaining the discussion with the reporter. Communication with all involved parties is a key activity in our vulnerability solution process.
Alcatel-Lucent Enterprise customers can also report suspected security vulnerabilities through their usual support channels. 取决于客户维护合同, these contact points will be able to assist in more general situations such as providing:
- 确定是否存在安全问题的技术援助
- 为特定的安全相关功能配置ALE产品
- 关于已宣布的ALE产品安全问题的答案
- 实现任何避免漏洞的变通方法
保密- ALE PSIRT PGP公钥:
ALE PSIRT process ensures that neither unauthorised ALE employees nor outside users will get access to the information provided by the incident reporter. ALE还根据要求保证, the name of the incident reporter will not be disclosed in public communications or be used in further external distribution. 类似的, the ALE PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers 和 have been published by the ALE PSIRT on the ALE websites through the appropriate coordinated disclosure. For ensuring the confidentiality of the reporting 和 following steps of communication with ALE PSIRT, we encourage sending encrypted messages using the ALE PGP public key 和 sending in return the public PGP key of the incident reporter.
- 电子邮件: PSIRT@pylock.com
- 公钥可以在 http://keyserver.pgp.com
Note that ALE PSIRT should NOT be contacted to report or get support for security incidents that are happening "live" in deployed networks 和 solutions. Such incidents are to be reported only through the usual customer support channels.
第三方软件漏洞
ALE PSIRT与第三方协调中心合作,例如 CERT-IST, NVD 和 us - cert to manage vulnerabilities notices reported on third-party software embedded or used in ALE products 和 solutions. The reports are referred to with a unique Common Vulnerabilities 和 Exposures (CVE) number. Each CVE issued is analysed by ALE teams to provide an adjusted risk score that reflects the effective impact on our products.
严重程度评估
当漏洞被发现时, 内部或外部, 通过穿透测试, 证书报告, 或者从田野里, it is important to qualify the vulnerability within the context of ALE products.
To help this qualification process ALE uses a tool developed by the FIRST organisation called the CVSS版本3.1计算器.
By answering a number of questions, a new score is established for the vulnerability.
重新认证的分数被称为ALE漏洞评分系统(AVSS)。.
评级 | CVSS / AVSS得分 |
不影响 | 0.0 |
低 | 0.1 - 3.9 |
媒介 | 4.0 - 6.9 |
高 | 7.0 - 8.9 |
至关重要的 | 9.0 - 10.0 |
安全谘询披露
If one or more of the following conditions exist, ALE will publicly disclose a 安全咨询:
- An incident response process has been completed 和 it has been determined that sufficient software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high to critical severity vulnerabilities.
- An active exploitation of the vulnerability has been observed that could lead to increased risk for our customers. Early 安全警告 may then be published prior to the publication of available patches or corrections to inform our customers about potential risks.
- Public information about the vulnerability can expose our customers to potential increased risk. Early 安全警告 may then be published prior to the publication of available patches or corrections to inform our customers about potential risks.
ALE reserves the right to deviate from this policy on an exception basis to ensure software patch availability 和 our customers' security.