Dell Vulnerability Response Policy

Introduction

Dell strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation options to address vulnerabilities. The Dell Product Security Incident Response Team (Dell PSIRT) is chartered and responsible for coordinating the response and disclosure for all product vulnerabilities that are reported to Dell.

Dell employs a rigorous process to continually evaluate and improve our vulnerability response practices and we regularly benchmark these against the rest of the industry. Dell is an active participant in the Software Assurance Forum for Excellence in Code (SAFECode: http://www.safecode.org ), the Forum for Incident Response (http://www.first.org ) and international standards efforts that are developed for vulnerability disclosure and handling such as ISO 29147 and ISO 30111.

How to Report a Security Vulnerability

If you identify a security vulnerability in any Dell, Dell EMC, or RSA product, please report it immediately. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers.

Enterprise and commercial product customers and partners should contact the appropriate technical support team to report security issues discovered in a Dell product. The Technical Support team, the appropriate product team and Dell PSIRT will work together to address the issue and provide customers with next steps.

Security researchers, industry groups, vendors, and other users that do not have access to Technical Support should send vulnerability reports to Dell PSIRT via e-mail (secure@dell.com). Please encrypt your message and any attachments using Dell PSIRT’s PGP key, which you can download here.

When reporting a potential vulnerability please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

  • Product name and version that contains the vulnerability
  • Environment or system information under which the issue was reproduced (e.g. product model number, OS version etc.)
  • Type and/or class of vulnerability (XSS, buffer overflow, RCE, etc.)
  • Step-by-step instructions to reproduce the vulnerability
  • Proof-of-concept or exploit code
  • Potential impact of the vulnerability


Handling Vulnerability Reports

Dell believes in maintaining a good relationship with security researchers and we acknowledge them in our advisories (if desired). In return, we ask that researchers give us an opportunity to remediate the vulnerability before publicly disclosing it. Dell believes that coordinating the public disclosure of a vulnerability is key to protecting our customers.

All information about vulnerabilities disclosed according to this policy is intended to remain private between Dell and the reporting party (if the information is not already public knowledge) until a remedy is available and disclosure activities are coordinated.

Vulnerability Remediation

After investigating and validating a reported vulnerability, Dell will develop and qualify the appropriate remedy for products that are under active support from Dell. A remedy may take one or more of the following forms:

  • A new release of the affected product packaged by Dell
  • A Dell-provided patch that can be installed on top of the affected product
  • Instructions to download and install an update or patch from a third-party component vendor that is required for mitigating the vulnerability
  • A corrective procedure or workaround published by Dell that instructs users in adjusting the product configuration to mitigate the vulnerability


Dell makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines will depend on many factors: the severity, the remedy complexity, the component that is affected (for example, some updates require longer validation cycles or can only be updated in a major release), the stage of the product within its lifecycle, etc.

Remedy Communication

Dell will communicate remedies to customers through Dell Security Advisories where applicable. To protect Dell customers, Security Advisories are released once Dell has remedies in place for all supported versions of the affected product(s). Dell may release Security Advisories sooner to respond appropriately to public disclosures or widely known vulnerabilities in the components used within Dell products.

Security Advisories are intended to provide sufficient details to allow customers to assess the impact of vulnerabilities and to remedy potentially vulnerable products. Full details may be limited to reduce the likelihood that malicious users could take advantage of the information and exploit it to the detriment of our customers.

Dell Security Advisories will include the following information where applicable:

  • Products and versions affected
  • The severity rating for the vulnerability (Dell uses the Common Vulnerability Scoring System, CVSS: https://www.first.org/cvss/user-guide)
  • Common Vulnerability Enumeration (CVE: http://cve.mitre.org) identifier for the vulnerability so that the information on the vulnerability can be shared across various vulnerability management capabilities (tools like vulnerability scanners, repositories, and services)
  • Brief description of the vulnerability and potential impact if exploited
  • Remedy details with update/workaround information
  • Credit to the finder for reporting the vulnerability and working with Dell on a coordinated release (if applicable)

Dell Security Advisories and Notices can be accessed on www.dell.com/support/security.

Severity Rating

A security vulnerability is classified by its severity rating, which is determined by many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit. Dell uses the Common Vulnerability Scoring System version 3.0 (CVSS v3.0) to identify the severity level of identified vulnerabilities. The full standard, which is maintained by the Forum of Incident Response and Security Teams (FIRST), can be found at https://www.first.org/cvss.

When and where applicable, Dell Security Advisories will provide the CVSS v3.0 Base Score, corresponding CVSS v3.0 Vector, and the CVSS v3.0 Severity Rating Scale for identified vulnerabilities. Dell recommends that all customers take into account both the base score and any temporal and/or environmental scores that may be relevant to their environment to assess their overall risk.
 
Additional Disclosure Information

Dell releases Security Advisories to all customers simultaneously and its policy is not to provide advance notification to individual customers. This ensures that all customers are protected while a remedy is being created and receive proper information to remediate the vulnerability. Certain vulnerabilities may require multi-party coordination among industry partners before they are publicly disclosed.

Dell’s policy is not to provide additional information about the specifics of vulnerabilities beyond what is provided in the Security Advisory and related documentation such as release notes, knowledgebase articles, FAQs, etc. Dell does not distribute exploit/proof of concept code for identified vulnerabilities.

In accordance with industry practices, Dell’s policy is not to share the findings from internal security testing or other types of security activities with external entities.

Notifying Dell of other Security Issues

If you need to report any other security issue to Dell, please use the appropriate contacts listed below:

Security Issue

Contact Information

How to report a security vulnerability or issue in Dell online service, web application or property

Submit a report at https://bugcrowd.com/dell with step-by-step instructions to reproduce the issue.

How to report spam and phishing emails

Contact Missed_SPAM@dell.com.

How to report a security issue to Dell Financial Services

See Dell Financial Services Security page.

How to submit privacy related requests or questions

See Dell Privacy page.

Customer Entitlements: Warranties, Support, and Maintenance

Dell customers’ entitlements with respect to warranties and support and maintenance—including vulnerabilities in any Dell software product—are governed by the applicable agreement between Dell and each customer. The statements on this web page don’t modify or enlarge any customer rights or create any additional warranties.