ISSP (Inspur Security Response Center) is the only platform responsible for accepting, processing and publicly disclosing security vulnerabilities related to Inspur products and solutions. Inspur is committed to ensuring user safety, working to resolve issues quickly when problems arise, and providing recommendations through security advisories. We also hope to strengthen collaboration and dialogue with the industry through this platform.
The security vulnerability escalator must submit a potential security vulnerability related to Inspur via email. Please use our PGP public key (key ID 0xC483FD05; PGP fingerprint: 9C0A 9271 6CF9 0CF6 8B28 0606 7CF5 0934 C483 FD05) to encrypt and send an email to sec@Inspur.com, with the name of the vulnerability (such as: XX product XX vulnerability) in the subject of the email. The content of the email should be as detailed as possible, including:
- The name and contact information of the escalator or organization
- Affected products and their versions
- The way to discover potential vulnerabilities – please fill in as much as possible, including process, step, screenshot, and/or reproduction method
- Proof of use of potential vulnerabilities and POC
- Recommendation for a possible fix for a potential vulnerability
ISRC personnel handle the reported potential security vulnerabilities based on the vulnerability response process. For more information on how Inspur resolves security issues, see: Vulnerability Response Process.
Vulnerability Response Process
Receive and report:
Proactively monitor and receive potential security vulnerabilities and problems reported by vulnerability reporters, and respond to such issues.
Verify that potential security vulnerabilities and issues affect the company’s product safety, and assess risk to determine the level of vulnerability. ISRC personnel assess vulnerability risks based on the CVSSv3 standard. See specific CVSSv3 standards here: https://www.first.org/cvss/specification-document
Develop vulnerability risk mitigation and fixes, verify bug fixes, eradicate vulnerabilities, and provide product upgrades or patches.
Vulnerability information is disclosed in cases where circumvention and patches are available (or new versions are released).
Inspur ISRC discloses security vulnerabilities in two forms:
- Security Advisory (SA): Provides confirmed relevant technical information, including but not limited to circumvention programs and solutions
- Security Notice (SN): Provides general information about security topics in the event of public discovery and scrutiny and Inspur has not released any technical information.
Inspur ISRC staff will release the SA in the instant of an incident or routine basis (second Wednesday of each month).
Throughout the vulnerability process, ISRC personnel will strictly control the scope of vulnerability information and limit it to only those who are dealing with the vulnerability. Before the vulnerability is fixed, the vulnerability reporter should not disclose or disseminate the vulnerability information. Inspur condemns any attempt to exploit vulnerability testing or security vulnerabilities to undermine and harm the interests of users.