Vulnerability Disclosure Policy
Lenovo is committed to delivering safe and secure products and services. When vulnerabilities are discovered, we work diligently to resolve them. This document describes Lenovo’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing
customers of verified vulnerabilities.
When to contact the Product Security Incident Response Team (PSIRT)
Contact the Lenovo Product Security Incident Response Team (PSIRT) by sending an email to firstname.lastname@example.org if you
have identified a potential security vulnerability with one of our products. After your incident report is received, the appropriate personnel will contact you to follow-up.
To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are able to receive messages encrypted using OpenPGP. A copy of our public key that can be used to send encrypted email can be found here.
The email@example.com email address is intended ONLY for the purpose of reporting product or service security vulnerabilities specific to our products or services. For technical support information on our products or services, please visit www.lenovo.com/support.
Lenovo strives to acknowledge receipt of all submitted reports within two business days.
Receiving security information from Lenovo
Technical information about security advisories related to our products and services are posted on our security web site at www.lenovo.com/product_security/advisories. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability, though there may be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.
When Lenovo is notified by a third party of a potential vulnerability found in our products we will investigate the finding and may publish a coordinated disclosure along with the third party. In some instances Lenovo may receive information about a security vulnerability from a supplier under a confidentiality or non-disclosure agreement. In these cases, Lenovo will work with the supplier to request that a security fix is released although we may not be able to provide details about the security vulnerability.
In scoring or rating vulnerabilities, Lenovo follows standard industry best practices to designate the vulnerability’s potential impact as High, Medium or Low. This approach follows the Common Vulnerability Scoring System (CVSS, which provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors, and researchers to all benefit by adopting a common language of scoring IT vulnerabilities.
Security advisories are written to clearly explain the vulnerability, including the name, the cause and other available
information. Advisories provide information about known threats that relate to the vulnerability (e.g. the existence of exploit or proof-of-concept code, discussion or evidence of incident activity). The advisory also describes potential/expected consequences of attacks against the vulnerability.
Generally, security advisories include a list of Lenovo products with a status of Affected, Not Affected or Researching. Affected products will include a link to the fix which can be downloaded from the Lenovo Support site (where all updates are maintained) or a recommended workaround and/or a target date for a remediation. In cases where the vulnerability is specific to a particular set of products, Lenovo may only provide a list of the affected products. On occasion, Lenovo may find it necessary to publish a security advisory in advance of completing an impact assessment across all products. In these cases, a status of Researching will be shown. It is recommended that customers visit the security advisory site to stay current with the advisory status.
For product vulnerabilities, the advisory provides information on how to obtain the fix or security patch. In some cases, a workaround may be recommended to help customers protect the affected products in use through operational effort or by limiting use in some way without applying the security fix or patch.
If additional information on the vulnerability is available, the advisory will provide links as a reference. This includes links to the CVE or blog or article citations.
Typically, we look to acknowledge the researcher or finder of the vulnerability and, with their permission, will provide them with a credit.
When updates are made to an advisory, the revision history will show what was updated and when.
Note: all aspects of this process are subject to change without notice, as well as to case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.