Dell strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation options to address vulnerabilities. The Dell Product Security Incident Response Team (Dell PSIRT) is responsible for coordinating the response to and disclosure of product vulnerabilities that are reported to Dell.
Dell uses a rigorous process to continually evaluate and improve our vulnerability response practices and regularly benchmarks these against the rest of the industry. We are an active participant in the Software Assurance Forum for Excellence in Code
(SAFECode), the Forum for Incident Response and Security Teams
(FIRST), and international standards efforts involving vulnerability disclosure and handling, such as ISO 29147 and ISO 30111.How to Report a Security Vulnerability
If you identify a security vulnerability in any Dell Technologies product, we ask you to report it to us immediately. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers. Security researchers should submit product vulnerability reports to the Dell Product Vulnerability Disclosure Program through Bugcrowd https://www.bugcrowd.com/dell-product-vdp
. Enterprise and commercial product customers and partners should contact their respective Technical Support team to report any security issues discovered in Dell products. The Technical Support team, appropriate product team, and the Dell PSIRT will work together to address the reported issue and provide customers with next steps. Industry groups, vendors, and other users that do not have access to Technical Support should send vulnerability reports directly to the Dell PSIRT via email
. Encrypt your message and any supporting attachments using the Dell PSIRT PGP key, which you can download here
When reporting a potential vulnerability, we ask that you include as much of the below information as possible to help us better understand the nature and scope of the reported issue:
- Product name and version containing the vulnerability
- Environment or system information under which the issue was reproduced (for example: product model number, operating system version, and other related information.)
- Type and/or class of vulnerability (for example: XSS, buffer overflow, and RCE)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code
- Potential impact of the vulnerability
Handling Vulnerability Reports
Dell believes in maintaining a good relationship with security researchers, and with their agreement, may recognize researchers on our Security Acknowledgments page
for finding a valid product vulnerability and privately reporting the issue. In return, we ask that researchers give us a reasonable opportunity to remediate the vulnerability before disclosing it publicly. Dell believes that coordinating the public disclosure of a vulnerability is key to protecting our customers.
According to this policy, all disclosed information about vulnerabilities is intended to remain between Dell and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.Vulnerability Remediation
After investigating and validating a reported vulnerability, we strive to develop and qualify an appropriate remedy for products under active support from Dell. A remedy may take one or more of the following forms:
- A new release of the affected product packaged by Dell.
- A Dell-provided patch that can be installed on top of the affected product.
- Instructions to download and install an update or patch from a third-party vendor that is required for mitigating the vulnerability.
- A corrective procedure or workaround published by Dell that instructs users on measures that may be taken to mitigate the vulnerability.
Dell makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines depend on many factors, such as the severity, impact, the remedy complexity, the affected component (for example, some updates require longer validation cycles or can be updated only in a major release), the stage of the product within its lifecycle, and status of business operations, among others.
Impact and Severity Ratings
Dell uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) open framework for communicating the characteristics and severity of Dell software vulnerabilities. Many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit, are considered. The full standard is maintained by FIRST.
The overall impact of a security advisory is a textual representation of the severity (critical, high, medium, and low) calculated using the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities. When and where applicable, Dell provides an overall impact for the advisory and for each identified vulnerability the CVSS v3.1 Base Score and corresponding CVSS v3.1 Vector. Dell recommends that all customers consider both the base score and any temporal and/or environmental metrics that may be relevant to their environment to assess their overall risk.
We use Dell Security Advisories, Security Notices, and Informational articles to communicate information regarding security vulnerabilities that affect our products.
Dell Security Advisories are used to disclose product-specific security vulnerabilities and communicate remedies where applicable. To protect our customers, Dell strives to release a Security Advisory only once we have a remedy in place for any affected product(s).
Security Advisories are intended to provide sufficient detail to assess the impact of vulnerabilities and to remedy potentially affected products. However, full details may be limited to reduce the likelihood that malicious users can take advantage of the information provided and exploit it to the detriment of our customers.
Dell Security Advisories will typically include the following information, as applicable:
- The overall impact, which is a textual representation of the severity (that is critical, high, medium, and low) calculated using the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities.
- Products and versions affected.
- The CVSS Base Score and Vector for all identified vulnerabilities;
- Common Vulnerability Enumeration (CVE) identifier for all identified vulnerabilities so that the information for each unique vulnerability can be shared across various vulnerability management capabilities (for example, tools like vulnerability scanners, repositories, and services);
- Brief description of the vulnerability and the potential impact if exploited.
- Remediation details with update/workaround information.
- Acknowledgment to the finder for reporting the vulnerability and working with Dell on a coordinated release, as applicable.
- Vulnerability category information:
- Proprietary Code – Dell-developed hardware, software, or firmware.
- Third-Party Component – hardware, software, or firmware that is either freely distributed by packaged, or otherwise incorporated into a Dell product.
In special cases, Dell may publish a Security Notice to acknowledge a publicly known security vulnerability and provide a statement or other guidance regarding when (or where) additional information will be available.
Dell may publish security related Informational Articles to share information about security-related topics such as:
- New security hardening features available within the product.
- Product specific security configuration guides and best practices
- Security vulnerabilities in third-party components, identified by vulnerability scanning tools but which are not exploitable from within the specified product
- Installation instructions for applying specific security updates
- Information regarding the effect of security updates in non-Dell product co-requisites and pre-requisites which could have an impact on Dell products.
Dell Security Advisories and Notices are available at www.dell.com/support/security. Informational articles are available at this link when authenticated.
Additional Disclosure Information
Dell policy is not to provide information about the specifics of vulnerabilities beyond what is provided in the Security Advisory and related documentation, such as release notes, knowledgebase articles, and FAQs. We do not distribute exploit/proof of concept code for identified vulnerabilities. In accordance with industry practices, Dell does not share findings from its internal security testing or other types of security activities with external entities.
Notifying Dell of other Security Issues
Use the appropriate contacts listed below to report other types of security issues to Dell:
To report a security vulnerability or issue in Dell.com or other online service, web application or property
Submit a report at https://bugcrowd.com/dell or email@example.com with step-by-step instructions to reproduce the issue.
If you suspect identity theft or have experienced a fraudulent transaction related to Dell Financial Services
See Dell Financial Services Security
To submit privacy related requests or questions
See Dell Privacy
Customer Entitlements: Warranties, Support, and Maintenance
Dell customers’ entitlements regarding warranties and support and maintenance—including vulnerabilities in any Dell software product—are governed solely by the applicable agreement between Dell and the individual customer. The statements on this web page do not modify, enlarge, or otherwise amend any customer rights or create any additional warranties.
All aspects of this Vulnerability Response Policy are subject to change without notice. Response is not guaranteed for any specific issue or class of issues. Your use of the information in this document or materials linked herein is at your own risk.