Dell strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation options to address vulnerabilities. The Dell Product Security Incident Response Team (Dell PSIRT) is chartered and responsible for coordinating the response and disclosure for all product vulnerabilities that are reported to Dell.
Dell employs a rigorous process to continually evaluate and improve our vulnerability response practices and we regularly benchmark these against the rest of the industry. We are an active participant in the Software Assurance Forum for Excellence in Code
(SAFECode), the Forum for Incident Response and Security Teams
(FIRST) and international standards efforts that are developed for vulnerability disclosure and handling such as ISO 29147 and ISO 30111.How to Report a Security Vulnerability
If you identify a security vulnerability in any Dell Technologies product, please report it immediately. Security researchers, industry groups, vendors, and other users that do not have access to Technical Support should send vulnerability reports to Dell PSIRT via e-mail
. Please encrypt your message and any attachments using Dell PSIRT’s PGP key, which you can download here
. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers.
Enterprise and commercial product customers and partners should contact the appropriate technical support team to report security issues discovered in a Dell product. The Technical Support team, the appropriate product team and Dell PSIRT will work together to address the issue and provide customers with next steps.
When reporting a potential vulnerability, please include as much of the below information as possible to help us better understand the nature and scope of the reported issue:
- Product name and version that contains the vulnerability
- Environment or system information under which the issue was reproduced (e.g. product model number, OS version, etc.)
- Type and/or class of vulnerability (XSS, buffer overflow, RCE, etc.)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code
- Potential impact of the vulnerability
Handling Vulnerability Reports
Dell believes in maintaining a good relationship with security researchers, and with the agreement of the reporter, we may recognize the reporter on our Acknowledgement page
for finding a valid product vulnerability and privately reporting the issue.
In return, we ask that researchers give us an opportunity to remediate the vulnerability before publicly disclosing it. Dell believes that coordinating the public disclosure of a vulnerability is key to protecting our customers.
According to this policy, all disclosed information about vulnerabilities is intended to remain between Dell and the reporting party—if the information is not already public knowledge—until a remedy is available and disclosure activities are coordinated.Vulnerability Remediation
After investigating and validating a reported vulnerability, we will attempt to develop and qualify the appropriate remedy for products that are under active support from Dell. A remedy may take one or more of the following forms:
- A new release of the affected product packaged by Dell
- A Dell-provided patch that can be installed on top of the affected product
- Instructions to download and install an update or patch from a third-party component vendor that is required for mitigating the vulnerability
- A corrective procedure or workaround published by Dell that instructs users in adjusting the product configuration to mitigate the vulnerability
Dell makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines will depend on many factors, such as the severity, the remedy complexity, the affected component (e.g., some updates require longer validation cycles or can only be updated in a major release) or the stage of the product within its lifecycle, among others.Remedy Communication
In most cases, we will communicate remedies to customers through Dell Security Advisories, where applicable. To protect our customers, Dell strives to release a Security Advisory once we have a remedy in place for any affected product(s). Dell may release Security Notices sooner to respond appropriately to public disclosures or widely known vulnerabilities in the components used within our products.
Security Advisories are intended to provide sufficient details to allow customers to assess the impact of vulnerabilities and to remedy potentially vulnerable products. Full details may be limited to reduce the likelihood that malicious users could take advantage of the information and exploit it to the detriment of our customers.
Dell Security Advisories will typically include the following information, where applicable:
- Products and versions affected
- The severity rating for the vulnerability; Dell uses the Common Vulnerability Scoring System (CVSS)
- Common Vulnerability Enumeration (CVE) identifier for the vulnerability so that the information on the vulnerability can be shared across various vulnerability management capabilities (tools like vulnerability scanners, repositories, and services)
- Brief description of the vulnerability and potential impact if exploited
- Remedy details with update/workaround information
- Credit to the finder for reporting the vulnerability and working with Dell on a coordinated release (if applicable)
Dell Security Advisories and Notices can be accessed at www.dell.com/support/security.
A security vulnerability is classified by its severity rating, which is determined by many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit. Dell uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to identify the severity level of identified vulnerabilities. The full standard is maintained by FIRST.
When and where applicable, Dell Security Advisories will provide the CVSS v3.1 Base Score, corresponding CVSS v3.1 Vector, and CVSS v3.1 Severity Rating Scale for identified vulnerabilities. Dell recommends that all customers take into account both the base score and any temporal and/or environmental scores that may be relevant to their environment to assess their overall risk.
Additional Disclosure Information
Dell attempts to release Security Advisories to all customers simultaneously, and our policy is not to provide advance notification to individual customers. This ensures that all customers are protected while a remedy is being created and receive proper information to remediate the vulnerability. Certain vulnerabilities may require multi-party coordination among industry partners before they are publicly disclosed.
Dell’s policy is not to provide additional information about the specifics of vulnerabilities beyond what is provided in the Security Advisory and related documentation such as release notes, knowledgebase articles, FAQs, etc. We do not distribute exploit/proof of concept code for identified vulnerabilities.
In accordance with industry practices, Dell’s policy is not to share the findings from internal security testing or other types of security activities with external entities.
Notifying Dell of other Security Issues
If you need to report any other security issue to Dell, please use the appropriate contacts listed below:
How to report a security vulnerability or issue in Dell online service, web application or property
Submit a report at https://bugcrowd.com/dell with step-by-step instructions to reproduce the issue.
What to do if you suspect Identity theft related to Dell Financial Services
See Dell Financial Services Security page.
How to submit privacy related requests or questions
See Dell Privacy page.
Customer Entitlements: Warranties, Support, and Maintenance
Dell customers’ entitlements with respect to warranties and support and maintenance—including vulnerabilities in any Dell software product—are governed by the applicable agreement between Dell and each customer. The statements on this web page don’t modify or enlarge any customer rights or create any additional warranties.
All aspects of Dell’s Vulnerability Response Policy are subject to change without notice and on a case-by-case basis. Response is not guaranteed for any specific issue or class of issues. Your use of the information on the document or materials linked from the document is at your own risk. Dell reserves the right to change or update this document without notice at any time.