Hillstone Product Security Incident Response
Hillstone Product Security Incident Response
The Hillstone Product Security Incident Response Team (PSIRT) is responsible for responding to Hillstone product security incidents. The Hillstone PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of information about security vulnerabilities and issues related to Hillstone products and networks. Hillstone defines a security vulnerability as an unintended weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of the product.
The on-call Hillstone PSIRT works 24 hours a day with Hillstone customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security vulnerabilities and issues with Hillstone products and networks.
Reporting or Obtaining Support for a Suspected Security Vulnerability
Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Hillstone PSIRT. Hillstone welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. The minimal data needed for reporting a security issue is a description of the potential vulnerability.
Please contact the Hillstone PSIRT using one of the following methods.
|Emergency & Nonemergency Support|
|Hours||Support requests that are received via email are typically acknowledged within 48 hours. Ongoing status on reported issues will be determined as needed.|
General Security-Related Queries
For general security concerns about Hillstone products, the Hillstone Technical Assistance Center (TAC) can provide configuration assistance and technical assistance with security matters. The TAC can also help with nonsensitive security incidents and software upgrades for security bug fixes. Use the following information to contact the Hillstone TAC.
|Hours||24 hours a day, 7 days a week|
Receiving Security Vulnerability Information from Hillstone
There are several ways to stay connected and receive the latest security vulnerability information from Hillstone. Review the following table, and subsequent summaries, to determine the appropriate option.
The Hillstone Security portal on Hillstone.com provides Hillstone security vulnerability documents and Hillstone security functions information, including relevant security products and services.
For direct links to specific security functions, see the Types of Security Publications section of this document.
Commitment to Product Security and Integrity at Hillstone
Hillstone product development practices specifically prohibit any intentional behaviors or product features that are designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:
- Undisclosed device access methods or “backdoors”
- Hardcoded or undocumented account credentials
- Covert communication channels
- Undocumented traffic diversion
Hillstone considers such product behaviors to be serious vulnerabilities. Hillstone will address any issues of this nature with the highest priority and encourages all parties to report suspected vulnerabilities to the Hillstone PSIRT for immediate investigation. Internal and external reports of these vulnerabilities will be managed and disclosed under the terms of the Hillstone Security Vulnerability Policy.
Hillstone Product Security Incident Response Process
The following graphic illustrates the Hillstone PSIRT process at a high level and provides an overview of the vulnerability lifecycle, disclosure, and resolution process.
Figure 1. Hillstone Product Security Incident Response Process
The following are the steps in the process illustrated in Figure 1:
- Awareness: PSIRT receives notification of security incident.
- Active Management: PSIRT prioritizes and identifies resources.
- Fix Determined: PSIRT coordinates fix and impact assessment.
- Communication Plan: PSIRT sets timeframe and notification format.
- Integration and Mitigation: PSIRT engages experts and executives.
- Notification: PSIRT notifies all customers simultaneously.
- Feedback: PSIRT incorporates feedback from customers and Hillstone internal input.
The Hillstone PSIRT investigates all reports regardless of the Hillstone software code version or product lifecycle status. Issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Ultimately, the resolution of a reported incident may require upgrades to products that are under active support from Hillstone.
Throughout the investigative process, the Hillstone PSIRT strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, the Hillstone PSIRT will make every effort to address those concerns.
During any investigation, the Hillstone PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, the Hillstone PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Hillstone PSIRT on the Hillstone website through the appropriate coordinated disclosure.
With the agreement of the incident reporter, the Hillstone PSIRT may acknowledge the reporter’s contribution during the public disclosure of the vulnerability.
Hillstone PSIRT works with third-party coordination centers such as CERT/CC, CERT-FI, JP-CERT, or CPNI to manage a coordinated industry disclosure for vulnerabilities reported to Hillstone that may impact multiple vendors (for example, a generic protocol issue). In those situations, the Hillstone PSIRT either will assist the incident reporter in contacting the coordination center, or may do so on that individual’s behalf.
If a reported vulnerability involves a vendor product, the Hillstone PSIRT will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.
The Hillstone PSIRT will coordinate with the incident reporter to determine the frequency of status updates of the incident and documentation updates.
In the event Hillstone becomes aware of a vulnerability that does not affect a Hillstone product, but does involve another vendor’s product, our policy for reporting vulnerabilities to vendors is followed.
Disclosure of Security Vulnerabilities Discovered
as Part of Hillstone Services Delivery
If a new or previously undisclosed security vulnerability is found during a Hillstone Services engagement with a customer, Hillstone will follow the Hillstone Product Security Incident Response Process. Vulnerabilities found in Hillstone products will be handled by the Hillstone PSIRT according to Hillstone’s Security Vulnerability Policy. If the vulnerability is in another vendor’s product, Hillstone will follow the Hillstone Vendor Vulnerability Reporting and Disclosure Policy unless the affected customer wishes to report the vulnerability to the vendor directly; in that case, Hillstone will facilitate contact between the customer and the vendor, and will notify CERT/CC (or its national equivalent).
Hillstone will protect customer-specific data at all times throughout this process. Specifically, Hillstone will not share any customer-specific data unless directed to do so by the affected customer, or as required by a legal investigation.
Assessing Security Risk
— Common Vulnerability Scoring System and the Security Impact Rating
Hillstone uses version 3.0 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in Hillstone products. The CVSS model uses three distinct measurements or scores that include Base, Temporal, and Environmental calculations. Hillstone will provide an evaluation of the Base vulnerability score, and in some instances, will provide a Temporal vulnerability score. End users are encouraged to compute the Environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments.
Issues with a Low SIR are typically published as a bug Release Note Enclosure (RNE) and not as part of a Security Advisory.
Hillstone reserves the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.
If there is a security issue with a third-party software component that is used in a Hillstone product, Hillstone typically uses the CVSS score provided by the third party. In some cases, Hillstone may adjust the CVSS score to reflect the impact to the Hillstone product.
Third-Party Software Vulnerabilities
If there is a vulnerability in a third-party software component that is used in a Hillstone product, Hillstone typically uses the CVSS score provided by the component creator. Hillstone may adjust the CVSS score to reflect the impact to Hillstone products.
Hillstone will consider a third-party vulnerability “high profile” if it meets the following criteria:
- The vulnerability exists in a third-party component.
- Multiple Hillstone products are affected.
- The CVSS score is 5.0 or above.
- The vulnerability has gathered significant public attention.
- The vulnerability is likely to have exploits available and is expected to be, or is being, actively exploited.
For high profile, third-party vulnerabilities, Hillstone will begin assessing all potentially impacted products that have not reached End-of-Support (with priority given to those products that have not reached End-of-Software-Maintenance) and publish a Security Advisory within 24 hours of initial disclosure by the third-party. All known affected Hillstone products will be detailed in an update to the initial Security Advisory, which will be published within 7 days of Hillstone’s initial disclosure. A Hillstone bug will be created for each vulnerable product so that registered customers can view them via the Hillstone Bug Search Toolkit. Third-party vulnerabilities that are not classified as high profile will be disclosed in a Release Note Enclosure.
If one or more of the following conditions exist, Hillstone will publicly disclose Hillstone Security Advisories:
- The Hillstone PSIRT has completed the incident response process and determined that enough software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high-severity vulnerabilities.
- The Hillstone PSIRT has observed active exploitation of a vulnerability that could lead to increased risk for Hillstone customers. For this condition, Hillstone will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.
- There is the potential for increased public awareness of a vulnerability affecting Hillstone products that could lead to increased risk for Hillstone customers. For this condition, Hillstone will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.
All Hillstone security publications are disclosed to customers and the public simultaneously. Hillstone reserves the right to deviate from this policy on an exception basis to ensure access to Hillstone.com for software patch availability.
When coordinating disclosure with third parties, the Hillstone PSIRT will attempt to provide notification of any changes to the Hillstone PSIRT public disclosure schedule.
As documented in the Receiving Security Vulnerability Information from Hillstone section of this document, Hillstone delivers technical security information about software fixes in Hillstone products and distributes product updates through several channels.
Incident Response Eligibility
Customers with service contracts receive incident response assistance for any incident in which a Hillstone product plays a significant role, regardless of whether there is an identified problem with a Hillstone product.
All customers, regardless of contract status, receive free incident response assistance, similar to that offered to contract customers, for any incident that involves known or reasonably suspected security vulnerability in a Hillstone product.
Hillstone reserves the right to determine the type and degree of assistance it may offer in connection with any incident and to withdraw from any incident at any time. Hillstone may offer customers incident response services free of charge. Hillstone may give special consideration to security incidents that involve actual or potential threats to persons, property, or the Internet as well as requests from law enforcement agencies or formal incident response teams.
Security Software Updates
PSIRT will investigate and disclose vulnerabilities in Hillstone products and services from the date of First Commercial Shipment (FCS) to the Last Day of Support. Hillstone customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Hillstone website. Hillstone recommends contacting the TAC only with specific and imminent problems or questions.
As a special customer service, and to improve the overall security of the Internet, Hillstone may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Hillstone security publication for details. Free software updates will typically be limited to Hillstone Security Advisories.
If Hillstone has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Hillstone TAC using any of the means described in the General Security-Related Queries section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Hillstone document that is offering the update.
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Hillstone software license. Additionally, customers may only download software for which they have a valid license, procured from Hillstone directly, or through a Hillstone authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
After the End of Sale, the availability of security fixes provided by Engineering is defined in the product’s End of Sale bulletin. (See the End-of-Life Policy for details.) The End of Sale Bulletin may define one or more of the following milestones.
- The End of SW Maintenance milestone identifies the last date Hillstone may release a software maintenance release that could include security fixes.
- The End of Engineering Support for the Hillstone TAC milestone is the last date that Hillstone Engineering may consider the repair and support of confirmed hardware or software defects for a product.
- The End of Security and Vulnerability Fixes milestone identifies the last date that Hillstone may provide support for network-impacting security vulnerabilities.
Note: If the End of Security and Vulnerability Fixes milestone is not defined, the End of SW Maintenance and End of Engineering Support milestones will determine the last date Hillstone Engineering will provide fixes.
All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.