Contact Us to Report a Vulnerability
Reporting a Product Security Vulnerability
Lenovo is committed to developing products and services that adhere to the highest security standards in order to protect our customers and their data. Lenovo welcomes information about potential security vulnerabilities from security researchers, academics, and others in the wider security community.
Lenovo's Product Security Incident Response Team (PSIRT) is ready to work with those who bring such vulnerabilities to its attention and strives to acknowledge all relevant submissions within two business days. The PSIRT will investigate the issue, develop or source fixes, and then provide these fixes to Lenovo customers as quickly as possible. Lenovo may assign a CVE identifier per our CVE Number Authority Information Sharing and Embargo Policy.
CVE Number Authority (CNA) Information Sharing and Embargo Policy
Common Vulnerabilities and Exposures (CVE®) is a dictionary of publicly known information security vulnerabilities and exposures and is maintained by The MITRE Corporation. A CVE identifier represents a single security vulnerability and allows vendors, researchers and customers to talk about that specific vulnerability.
Lenovo assigns CVE identifiers for Lenovo product vulnerabilities even if vulnerability information will remain private for an unpredictable amount of time. Lenovo requires the discoverer to maintain confidentiality during the embargo period which is defined as the period of time between the CVE request and the negotiated disclosure date, at which time the discoverer will be publicly credited.
The policy of this CNA is that CVE ID requests are not visible to persons with any perceived conflict of interest. CVE ID requests may be read by persons who are Lenovo employees and/or contractors. These persons must not work for other organizations that request CVE IDs, use CVE IDs, or produce or sell products that may have CVEs.
Please review these instructions carefully to ensure security vulnerability findings are reported to the correct team within Lenovo.
Lenovo always recommends operating at the latest version revisions of platform software (BIOS, BMC/TSM, FW, etc). As such, Lenovo only evaluates security vulnerabilities against the most current version available at support.lenovo.com.
For product security vulnerabilities affecting Lenovo PC, Tablet or Accessories, send an e-mail to firstname.lastname@example.org. You may use Lenovo's Product Security Incident Response Team PGP key to encrypt sensitive information (Click here to download our PGP public key). To report security vulnerabilities affecting Lenovo or Motorola phone products, send an e-mail to email@example.com. Please provide as much information as possible. Include product names and versions affected, a detailed description of the vulnerability and any information on known exploitation. Please also include your PGP key so we may communicate with you on sensitive issues. Refer to Lenovo’s Vulnerability Disclosure Policy for additional information.
For vulnerabilities found in a Lenovo website, send an email to firstname.lastname@example.org.
For security vulnerabilities in the operating system (OS), Lenovo recommends that you contact the vendor of your operating system.
If you need to report a lost or stolen product or need technical support, refer to the Support Phone List to find the
contact information for your product.
Refer to the current Lenovo Product Security Advisories site for information about the latest vulnerabilities.