Acknowledging the importance for our
Customers to rely on secure products and solutions, it is
Alcatel-Lucent's
policy to ensure that Alcatel-Lucent products are developed with
appropriate
security principles as basis. Still, Alcatel-Lucent recognizes
that,
despite these security principles, vulnerabilities
- can be discovered in the software components of our
products
- can have an impact on the security level of those
products once deployed at customers.
To cope with such
situations, Alcatel-Lucent has set up an internal process for
vulnerability management
with the following objectives :
- Allow Alcatel-Lucent product lines and customer
support
channels to be made aware on-time of software vulnerabilities that can
impact our products and hence work out solutions that can be proposed
to customers in a timely manner
- Allow customers, researchers and interested people to
report on possible security vulnerabilities in Alcatel-Lucent's
products
Reporting Security Vulnerabilities in Alcatel-Lucent
Products
Contact the Alcatel-Lucent PSIRT
The Alcatel-Lucent Product
Security Incident
Response Team (APSIRT) coordinates the activities related to security
vulnerabilities and can be contacted if you find a potential security
problem with an Alcatel-Lucent product. Vulnerabilities can be reported
by
sending a Vulnerability Summary Report (VSR) to psirt.security@Alcatel-Lucent.com
.
To ease the formulation of your report we offer a template that can be
downloaded here
Reporting
security incidents
The Alcatel-Lucent PSIRT is
NOT to be contacted
to report and get support for security incidents that are happening
"live" in deployed networks and solutions. Such incidents are to be
reported only via your usual customer support channels, if this is
covered in your support contract.
Other channels for contacting Alcatel-Lucent
Customers are also encouraged
to report
potential security vulnerabilities via their usual support channels.
Depending on your maintenance contract, these contact points will also
be able to assist you in more general situations such as
- technical assistance to determine if a security
problem exists
- configuring an Alcatel-Lucent product for a specific
security-related function
- questions about an announced security problem with an
Alcatel-Lucent product
Confidentiality
If confidentiality is a
requirement in
communicating with Alcatel-Lucent, PGP and S/MIME can be used in e-mail
exchanges. you can encrypt any sensitive information you send to us.
Alcatel-Lucent PSIRT PGP and S/MIME keys can be found here
Alcatel-Lucent's internal
vulnerability
management process ensures that the information is sent to a limited
group of designated Alcatel-Lucent employees who are experienced in
handling
such matters. Neither unauthorized Alcatel-Lucent employees nor outside
users
have access to the provided information you sent.
Alcatel-Lucent also guarantees
that on your
request, your name is not disclosed in public communications and makes
no further external distribution of a VSR or pre-warning before it has
investigated the reality of the reported vulnerability
Details on Alcatel-Lucent's
process after
having received a VSR is described here
|
