Anyone experiencing a Jazz Networks product security issue is strongly encouraged to contact the Jazz Networks PSIRT via email@example.com. Jazz welcomes reports from customers, vendors, security researchers, industry organizations, and other stakeholders.
Please contact the Jazz Networks PSIRT via firstname.lastname@example.org. Support requests will be acknowledged within 48 hours.
For general security question, please contact email@example.com.
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing firstname.lastname@example.org.
Please include the following details with your report:
Jazz Networks takes the security of our customers and its relationship with the security research community seriously. This document outlines what can be expected from Jazz Networks when a vulnerability is reported and what Jazz considers to be acceptable for researchers in the process of testing.
We require that all researchers:
If you follow these guidelines when reporting an issue to us, we commit to:
Legally acquired versions of Jazz Networks software running in a deployment for which the researcher has the rights, or explicit permission, to test are in scope. Security researchers may be provided with trial versions of software for experimentation.
Any services hosted by 3rd party providers and services are excluded from scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
Things we do not want to receive:
Jazz Networks Ltd is committed to resolving vulnerabilities to meet the needs of its customers and the broader technology community. This document describes Jazz Networks’ policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.
Contact the Jazz Networks Product Security Incident Response Team (PSIRT) by sending an email to email@example.com in the following situations:
After your incident report is received, the appropriate personnel will contact you to follow-up.
The firstname.lastname@example.org email address is intended ONLY for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services. All content other than that specific to security vulnerabilities in our products or services will be dropped. For technical and customer support inquiries, please visit jazznetworks.com/contact. Jazz Networks attempts to acknowledge receipt to all submitted reports within 48 hours.
Technical security information about our products and services is distributed through several channels
All aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
Use of the information constitutes acceptance for use in an AS IS condition. There are no express or implied warranties or assurances with regard to this information. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
At any point in the process, PSIRT can choose to issue or update a security advisory if the issue becomes public.
Issues which impact (in a way which can be used by an attacker) the Confidentiality, Integrity or Availability (CIA) of installations are considered to be security issues. At this point severity is not considered: if it impacts one of CIA, then it’s a security issue.
Security issues are prioritized by severity using CVSSv3 scoring:
These map to turnaround times as follows:
PSIRT can raise the priority to Critical in response to exploitation in the wild, public disclosure, etc.
All public communication on the subject of security vulnerabilities is via PSIRT through agreed channels.