Receive and report: Proactively monitor and receive potential security vulnerabilities and problems reported by vulnerability reporters, and respond to such issues.
Problem analysis: Verify that potential security vulnerabilities and issues affect the company's product safety, and assess risk to determine the level of vulnerability. ISRC personnel assess vulnerability risks based on the CVSSv3 standard. See specific CVSSv3 standards here: https://www.first.org/cvss/specification-document
Vulnerability fixes: Develop vulnerability risk mitigation and fixes, verify bug fixes, eradicate vulnerabilities, and provide product upgrades or patches.
Vulnerability disclosure: Vulnerability information is disclosed in cases where circumvention and patches are available (or new versions are released).
Inspur ISRC discloses security vulnerabilities in two forms:
Security Advisory (SA): Provide information about security vulnerabilities identified with Inspur products, including any fixes, workarounds or other actions.
Security Notice (SN): Provide information of general interest about security topics related to Inspur products or the use of Inspur products.
Inspur ISRC staff will release the SA in the instant of an incident or routine basis (second Wednesday of each month).
Throughout the vulnerability process, ISRC personnel will strictly control the scope of vulnerability information and limit it to only those who are dealing with the vulnerability. Before the vulnerability is fixed, the vulnerability reporter should not disclose or disseminate the vulnerability information. Inspur condemns any attempt to exploit vulnerability testing or security vulnerabilities to undermine and harm the interests of users.
Copyright © 2018 Inspur. All Rights Reserved.