EMC Vulnerability Response Policy
EMC takes every step possible to minimize customer risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities. The EMC Product Security Response Center (PSRC) is responsible for coordinating the response and disclosure for all externally identified EMC product vulnerabilities.
We constantly benchmark our practices with the rest of the industry, by way of our participation in the Software Assurance Forum for Excellence in Code (SAFECode: http://www.safecode.org), the Forum for Incident Response (http://www.first.org) and international standards that are being developed for vulnerability disclosure and handling such as ISO 29147 and ISO 30111.
How to Report a Security Vulnerability
If you identify a security vulnerability in an EMC product, please report the problem immediately. Timely identification of security vulnerabilities is critical to eliminating potential threats.
Customers, partners, and other entitled users of an EMC product should contact EMC Technical Support to report security issues discovered in EMC products. The EMC Technical Support team in collaboration with the appropriate product team and the PSRC will work together on addressing the issue.
Security researchers, industry groups, vendors, and other users that do not have access to EMC Technical Support can send vulnerability reports via e-mail to firstname.lastname@example.org. Please encrypt your message using EMC’s PGP key, which you can download or view by right clicking this link: PSRC PGP Key.
Please include as much of the below information as possible to help us to better understand the nature and scope of the potential vulnerability:
- Product name and version that contains the vulnerability
- Type of vulnerability (XSS, buffer overflow, etc.)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code
- Potential impact of the vulnerability, including how an attacker could exploit the vulnerability
After investigating and validating a reported vulnerability, EMC creates and qualifies the appropriate remedy. A remedy may take one or more of the following forms:
- A new release of the affected product packaged by EMC
- An EMC-provided patch that can be installed on top of the affected product
- Instructions to download and install an update or patch from a third-party component vendor that is required for mitigating the vulnerability
- A corrective procedure or workaround published by EMC that instructs users in adjusting the product configuration to mitigate the vulnerability
EMC makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time in order to protect our customers. Response timelines will depend on many factors: the severity (comprised of the exploitability factor and the impact), the component that is affected (for example, some updates require longer QA cycles or can only be updated in a major release), where the product is in the development cycle when the vulnerability is discovered, etc.
EMC communicates the remedy to customers through EMC Security Advisories. Security Advisories are released once EMC has remedies in place for all supported versions of the affected product(s). This is intended to protect all EMC customers. EMC may release Security Advisories sooner to respond appropriately to public disclosures or widely known vulnerabilities in the components used within EMC products.
Security Advisories balance providing sufficient details so that customers can protect themselves but not too detailed so that malicious users could take advantage of the information and exploit it to the detriment of our customers.
EMC Security Advisories will include the following information where applicable:
- Products and versions affected
- The severity rating for the vulnerability (EMC uses the Common Vulnerability Scoring System, CVSS: http://www.first.org/cvss/cvss-guide.html)
- Common Vulnerability Enumeration (CVE: http://cve.mitre.org) identifier for the vulnerability so that the information on the vulnerability can be shared across various vulnerability management capabilities (tools like vulnerability scanners, repositories, and services)
- Brief description of the vulnerability and potential impact if exploited
- Remedy details with update/workaround information
- Credit to the finder for reporting the vulnerability and working with EMC on a coordinated release (if applicable)
Customers are strongly advised to subscribe to EMC Security Advisories via support portals:
- For EMC customers: https://support.emc.com
- For RSA customers: https://knowledge.rsasecurity.com/scolcms
The list of published Security Advisories can be found here EMC Security Advisories (requires EMC Online Support credentials).
A security vulnerability is classified by its severity rating, which is determined by many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit. EMC currently uses the Common Vulnerability Scoring System version 3.0 (CVSS v3.0) to identify the severity level of identified vulnerabilities. The full standard, which is maintained by the Forum of Incident Response and Security Teams (FIRST), can be found at: https://www.first.org/cvss.
When and where applicable, EMC Security Advisories will provide the CVSS v3.0 Base Score, corresponding CVSS v3.0 Vector and the CVSS v3.0 Severity Rating Scale for identified vulnerabilities. EMC recommends that all customers take into account both the Base Score and any Temporal and/or Environmental Scores that may be relevant to their environment to assess their overall risk.
Additional Disclosure Information
EMC releases the same information on the vulnerability and how to protect against it to all customers at the same time in order to protect all customers equally. EMC does not provide advance notification to individual customers. This ensures that all customers are protected while a remedy is being created and receive proper information to remediate the vulnerability, and are not exposed to malicious attacks while the remedy is being developed.
EMC will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Security Advisory and related documentation such as release notes, knowledgebase articles, FAQs, etc. EMC does not distribute exploit/proof of concept code for identified vulnerabilities.
In accordance with industry practices, EMC does not share the findings from internal security testing or other types of security activities with external entities.
EMC Secure Development Practices
EMC has established a comprehensive approach to secure software development that goes across policy, people, processes, and technology. More information can be found on EMC’s Security Development Lifecycle (SDL) page.
Customer Rights: Warranties, Support, and Maintenance
EMC customers’ rights with respect to warranties and support and maintenance—including vulnerabilities in any EMC software product—are governed by the applicable agreement between EMC and each customer.
The statements on this web page don’t modify or enlarge any customer rights or create any additional warranties. Any information provided to EMC regarding vulnerabilities in EMC products—including all information in a product vulnerability report—shall become the sole information of EMC.