漏洞上报

安全漏洞是指在系统设计、部署、运营或管理中,可被利用于违反系统安全策略的缺陷或弱点;

安全漏洞上报者可以通过山石网科PSIRT邮箱的方式,将发现的漏洞信息提交给山石网科。为了便于漏洞验证,请参照《山石网科产品漏洞信息提交模板》,填写漏洞相关信息,以邮件的形式直接发送到[email protected]

如果涉及到敏感信息,建议使用山石网科PGP公钥(–pass–)对邮件内容进行加密。

《山石网科产品漏洞信息提交模板》

标题
Title

1、标题应明确说明漏洞所在产品、漏洞类型等信息;
Information such as the product version where the vulnerability is located and the type of vulnerability is necessary.示例【山石云界存在缓冲区溢出漏洞】
For example: [Hillstone CloudEdge has buffer overflow vulnerability]

联系方式
Contact information

1、个人或组织联系电话或电子邮件。
Telephone or E-mail address.

PGP公钥
PGP key

1、如有保密需求,请注明并提供PGP公钥。
If you would like us to send an encrypted response, please provide a PGP key up to 20,000 charactors.示例【需要保密,PGP公钥为:xxx】
For example: [encrypt, PGP public key is: XXX]

受影响的产品或服务的版本信息
Affected Product(s) or Service(s)

1、漏洞影响的具体产品或服务的版本信息;
The version information of a specific product or service affected by the vulnerability.

2、若不清楚具体版本信息,可提供漏洞测试时具体的测试目标信息。
If not, specific target information for vulnerability test is also ok.示例【产品: 山石云界,版本:5.5R7P6】
For example:[Product: Hillstone CloudEdge, Version: 5.5R7P6]

漏洞类型
Vulnerability Type

1、漏洞具体类型;
Specific vulnerability types,such as: SQL Injection,etc

2、若该安全问题是由若干漏洞组合利用导致的,请提供全部的漏洞类型。
If the security issue is exploited by a combination of vulnerabilities, please provide all vulnerability types.示例【远程缓冲区溢出】
For example: [remote buffer overflow]

漏洞影响
Vulnerability Impact

1、漏洞利用可能导致的后果。
The consequences of exploiting the vulnerability示例【敏感信息泄露】
For example: [Sensitive information disclosure]

漏洞详情
Vulnerability Description

1、尽可能提供足够的信息;
Provide as much information as possible;

2、漏洞出现的环境及具体系统配置;
The environment and the specific system configuration where the vulnerability is located;

3、准确、客观地描述漏洞出现的位置、测试步骤、PoC/EXP、影响大小等,并提供关键步骤的截图、利用成功的截图、视频等;测试步骤和POC必须填写完整;视频可以网盘链接的方式提供;
Accurately and objectively describe the location of vulnerability, test steps, PoC/EXP, impact scope, etc,and provide screenshots or videos of key steps and successful exploit.

4、非常见的漏洞类型请额外提供漏洞原理、成因、修复方案建议等,并附上参考资料链接;
For uncommon vulnerability, please provide additional vulnerability principles, causes and suggestions. Attach reference links if necessary;

5、漏洞复现步骤涉及到数据包的,请在附件中提供相关数据包。
If the exploit of vulnerability requires a special packet, please provide it in the attachment

可能的漏洞披露计划
Vulnerability Disclosure

1、漏洞目前的扩散范围;
Present diffusion range

2、未来可能的披露计划。
Future disclosure plan示例【目前仅本人知悉,暂无对外及三方平台披露计划】
For example: [Only I know, and there is no disclosure plan]

其他信息
Additional Information

1、其他信息
Please provide any additional information you want to share with us.

说明:

  • 本模板用于规范漏洞信息提交的格式;
  • 提交漏洞信息须按照本模板要求填写,报告质量将影响最终的奖励评级;
  • 对于敏感信息,须使用山石网科PSIRT提供的PGP公钥加密后发送。