Vulnerability Information Handling Policy

Purpose and Scope

Purpose

To properly handle vulnerability information that are discovered inside and outside the company, properly mitigate or remediate vulnerabilities, and reduce the customer risk

Scope

  • All services and products that are developed by Cybozu
  • Third party software that is used by Cybozu

Contents

The contents consist of the following two types of flows:

Response Flow for Vulnerabilities

1. Collecting information
Cybozu broadly collect information from inside and outside the company, and consolidate and manage those information.
Specifically, we identify vulnerabilities internally and also receive reports from outside the company, including the Information Security Early Warning Partnership and Cybozu Bug Bounty Program.

2. Assessing impacts
PSIRT and related departments validate the impact and severity of the information found.
Cybozu use CVSS (*1) as one of the indicators of the severity. We determine the impact and severity of the symptom based on the content of the finding.
※1. https://www.ipa.go.jp/security/vuln/CVSSv3.html

3. Countermeasures
Based on the assessment results, related departments consider how and when to handle the issue and make a comprehensive decision.
After making the decision, related departments take necessary actions.

Information Disclosure Flow for Vulnerabilities

We disclose the information related to fixing product vulnerabilities on our site and JVN (Japan Vulnerability Notes), which is a vulnerability information portal site in Japan. Please note that we follow the simultaneous public disclosure policy and disclose the information on the date agreed upon with JPCERT/CC.
Please refer to the following section regarding the specific disclosure location on our site.

Disclosing Vulnerability Information

An announcement on fixing vulnerabilities will be published on our site.

Location to post general security information from Cybozu
Notices from Cybozu

Location to post Cybozu product defect information including vulnerabilities
Knowledge Base

Posting Acknowledgment

The name of the reporter will be posted.
We will contact the reporter after posting the acknowledgment.
Special thanks to contributors who have enhanced our service quality