Security Advisories
The Alcatel-Lucent Enterprise Product Security Incident Response Team (ALE PSIRT) is dedicated to managing requests, investigating and reporting vulnerabilities or technical issues impacting our products and solutions.
We understand how important secure products and solutions are to our customers. It is our goal to ensure that Alcatel-Lucent Enterprise products are developed with all the appropriate security principles at the foundation. 我们遵循全面的安全计划,其中包括:
- 确保软件开发的最佳实践、过程和工具
- 严格的产品安全要求
- 发布前的定期验证和质量安全测试
尽管有这些安全原则和相关的操作, 漏洞可以在产品软件组件中被发现, when exploited, can have an impact on the security level of the products once deployed in a customer's networks.
产品安全事件响应流程总结
- ALE PSIRT收到安全警报或报告(业务伙伴、客户、……)发送一个在 漏洞汇总报告 (VSR)至ALE PSIRT (PSIRT@fc-daudenzell.com).
- ALE PSIRT向报告者确认收到了VSR.
- The ALE PSIRT analyses the relevancy of the vulnerability in ALE context in terms of if there is a risk for ALE products. A 漏洞分析报告 (VAR) is created within the internal Vulnerabilities Management SharePoint. The VAR will be the reference for the ALE PSIRT to follow the analysis as it advances through the process. 对漏洞的严重性进行重新评估 通用漏洞评分系统版本3.1 Calculator.
- The ALE PSIRT notifies the Vulnerabilities Analysis Team (the PSP and the PSS) about the VAR.
- Product Security Prime完成VAR, 用于标识产品的漏洞状态. There may be multiple steps required that provide temporary steps to address the problem (through configuration, 施加限制, 或者找到一个变通方法), 在找到最终解决方案之前.
- The reporter will be informed, on a regular basis, about the ongoing vulnerability investigation. Most notably, the ALE PSIRT will communicate the conclusion of the analysis to the reporter.
- 如果有任何影响被确认, 当有补救措施时, ALE PSIRT将协调修复和影响评估, and define, 与产品线团队一起, 决议交付时间框架, 通知计划及向公共机构(如mitre)披露.org和CERT组织. 当有足够的信息可以交流时, 安全咨询委员会将要求创建或更新 Security Advisory (SA).
- ALE PSIRT将在ALE PSIRT网站上发布SA, 通知外部ALE相关方,如合作伙伴和客户.
- The ALE PSIRT mailing list subscribers receive notification about the published SA. 任何人都可以从ALE PSIRT网站订阅邮件列表.
- Anyone interested can go to the ALE PSIRT web site and read the Security Advisories.
如何报告可疑的安全漏洞
Individuals or organisations experiencing technical security issues with an ALE product or solution are strongly encouraged to report the issues by contacting the ALE PSIRT using following these steps:
- Complete the 漏洞摘要报告(VSR).
- 将完成的报告发送至以下邮箱: PSIRT@fc-daudenzell.com
- 出于保密原因,请考虑使用ALE PGP公钥
The ALE PSIRT process will be followed while maintaining the discussion with the reporter. Communication with all involved parties is a key activity in our vulnerability solution process.
Alcatel-Lucent Enterprise customers can also report suspected security vulnerabilities through their usual support channels. 取决于客户维护合同, these contact points will be able to assist in more general situations such as providing:
- 确定是否存在安全问题的技术援助
- 为特定的安全相关功能配置ALE产品
- 关于已宣布的ALE产品安全问题的答案
- 实现任何避免漏洞的变通方法
保密- ALE PSIRT PGP公钥:
ALE PSIRT process ensures that neither unauthorised ALE employees nor outside users will get access to the information provided by the incident reporter. ALE还根据要求保证, the name of the incident reporter will not be disclosed in public communications or be used in further external distribution. Similarly, the ALE PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the ALE PSIRT on the ALE websites through the appropriate coordinated disclosure. For ensuring the confidentiality of the reporting and following steps of communication with ALE PSIRT, we encourage sending encrypted messages using the ALE PGP public key and sending in return the public PGP key of the incident reporter.
- E-mail: PSIRT@fc-daudenzell.com
- 公钥可以在 http://keyserver.pgp.com
Note that ALE PSIRT should NOT be contacted to report or get support for security incidents that are happening "live" in deployed networks and solutions. Such incidents are to be reported only through the usual customer support channels.
第三方软件漏洞
ALE PSIRT与第三方协调中心合作,例如 CERT-IST, NVD and US-CERT to manage vulnerabilities notices reported on third-party software embedded or used in ALE products and solutions. The reports are referred to with a unique Common Vulnerabilities and Exposures (CVE) number. Each CVE issued is analysed by ALE teams to provide an adjusted risk score that reflects the effective impact on our products.
Severity assessment
当漏洞被发现时, 内部或外部, through pentests, CERT reports, or from the field, it is important to qualify the vulnerability within the context of ALE products.
To help this qualification process ALE uses a tool developed by the FIRST organisation called the CVSS version 3.1 calculator.
By answering a number of questions, a new score is established for the vulnerability.
The requalified score is called the ALE Vulnerability Scoring System (AVSS).
Rating | CVSS/AVSS Score |
Not impacted | 0.0 |
Low | 0.1 - 3.9 |
Medium | 4.0 - 6.9 |
High | 7.0 - 8.9 |
Critical | 9.0 - 10.0 |
安全谘询披露
If one or more of the following conditions exist, ALE will publicly disclose a Security Advisory:
- An incident response process has been completed and it has been determined that sufficient software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high to critical severity vulnerabilities.
- An active exploitation of the vulnerability has been observed that could lead to increased risk for our customers. Early Security Advisories may then be published prior to the publication of available patches or corrections to inform our customers about potential risks.
- Public information about the vulnerability can expose our customers to potential increased risk. Early Security Advisories may then be published prior to the publication of available patches or corrections to inform our customers about potential risks.
ALE reserves the right to deviate from this policy on an exception basis to ensure software patch availability and our customers' security.