Vulnerability Disclosure Policy

Lenovo is committed to delivering safe and secure products and services. When vulnerabilities are discovered, we work diligently to resolve them. This document describes Lenovo’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

When to contact the Product Security Incident Response Team (PSIRT)

Contact the Lenovo Product Security Incident Response Team (PSIRT) by sending an email to psirt@lenovo.com if you have identified a potential security vulnerability with one of our products. After your incident report is received, the appropriate personnel will contact you to follow-up.

To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via email. We are able to receive messages encrypted using OpenPGP. For a copy of our public key for sending encrypted email go here.

The psirt@lenovo.com email address is intended ONLY for the purpose of reporting product or service security vulnerabilities specific to our products or services. For technical support information on our products or services, please visit www.lenovo.com/support.

Lenovo strives to acknowledge receipt of all submitted reports within two business days.

Receiving security information from Lenovo

Security Advisories
Security advisories related to our products and services are posted on our security web site at www.lenovo.com/product_security/advisories. In most cases, we will issue a notice when we have identified a practical workaround or fix for the particular security vulnerability, though there may be instances when we issue a notice in the absence of a workaround when the vulnerability has become widely known to the security community.

In cases where a third party notifies Lenovo of a potential vulnerability found in our products we will investigate the finding and may publish a coordinated disclosure along with the third party. In some instances, Lenovo may receive information about a security vulnerability from a supplier under a confidentiality or non-disclosure agreement or under embargo. In these cases, Lenovo will work with the supplier to request that a security fix is released although we may not be able to provide details about the security vulnerability.

Lenovo does not publish security advisories for open source vulnerabilities.

Release Notes (readme or change history)

Information included in Release Notes related to security updates will reference either the CVE or the internal LEN tracking number. Both are included in our published security advisories as applicable. When Lenovo believes it is in the customer’s best interest to update as soon as possible, the remediation may be released ahead of the security advisory. Once the advisory has been published, information about the vulnerability can be found by referencing the LEN tracking number from the release notes.

Information included in Release Notes related to open source vulnerability remediation will include published CVEs.

Severity

In scoring or rating vulnerabilities, Lenovo follows standard industry best practices to designate the vulnerability’s potential impact as High, Medium or Low. This approach follows the Common Vulnerability Scoring System (CVSS, which provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors, and researchers to all benefit by adopting a common language of scoring IT vulnerabilities.

Product Impact

Generally, security advisories include a list of Lenovo products with a status of Affected, Not Affected or Researching. Affected products will include a link to the fix which can be downloaded from the Lenovo Support site (where all updates are maintained) or a recommended workaround and/or a target date for a remediation. In cases where the vulnerability is specific to a particular set of products, Lenovo may only provide a list of the affected products. On occasion, Lenovo may find it necessary to publish a security advisory in advance of completing an impact assessment across all products. In these cases, a status of Researching will be shown. It is recommended that customers visit the security advisory site to stay current with the advisory status.

References

If additional information on the vulnerability is available, the advisory will provide links as a reference. This includes links to the CVE or blog or article citations.

Acknowledgement

Typically, we look to acknowledge the researcher or finder of the vulnerability and, with their permission, will provide them with a credit.

Revision History

When updates are made to an advisory, the revision history will show what was updated and when.

We make the best effort possible to resolve vulnerabilities in supported products as quickly as possible. However, no guaranteed level of response applies for any specific issue or class of issues due to factors such as fix complexity, quality testing, embargoes, and cross-vendor coordination.