Vulnerability Information Handling Policy

Purpose

To properly handle vulnerability information that are discovered inside and outside the company, properly mitigate or remediate vulnerabilities, and reduce the customer risk.

This policy consists of two parts: vulnerability management and vulnerability information disclosure.

Vulnerability Response

Scope

  • All services and products that are developed by Cybozu
  • Third party software that is used by Cybozu

Response Flow for Vulnerabilities

1. Collecting information
Cybozu broadly collect information from inside and outside the company, and consolidate and manage those information.
Specifically, we identify vulnerabilities internally and also receive reports from outside the company, including the Information Security Early Warning Partnership and Cybozu Bug Bounty Program.

2. Assessing impacts
PSIRT and related departments validate the impact and severity of the information found.
Cybozu use CVSS (*1) as one of the indicators of the severity. We determine the impact and severity of the symptom based on the content of the finding.
※1. https://www.ipa.go.jp/security/vuln/CVSSv3.html

3. Countermeasures
Based on the assessment results, related departments consider how and when to handle the issue and make a comprehensive decision.
After making the decision, related departments take necessary actions.

Disclosing Vulnerability Information

Scope

  • On-premise products that are developed by Cybozu (excluding mobile products)

Cybozu discloses information about vulnerabilities for on-premises products to enable our customers and partner companies to identify vulnerabilities which affect them and take appropriate measures.
In principle, we do not disclose information about vulnerabilities for cloud products or mobile products.
For information about disclosure of third-party products Cybozu uses, please refer to "Policy on disclosing Cybozu’s use of third-party products" in the CSIRT Description page on the Cybozu cloud platform’s official website.
CSIRT Description:
https://www.cybozu.com/jp/productsecurity/management/cysirt-en.html

Information Disclosure Flow for Vulnerabilities

1. Disclosure on Our site
An announcement on fixing vulnerabilities will be published on our site.

Location to post general security information from Cybozu
Notices from Cybozu

Location to post Cybozu product defect information including vulnerabilities
Knowledge Base

We also acknowledge the individuals who have contributed to improving the quality of our services
Special thanks to contributors who have enhanced our service quality

2. Disclosure on JVN
We disclose the information related to fixing product vulnerabilities on JVN (Japan Vulnerability Notes), which is a vulnerability information portal site in Japan. Please note that we follow the simultaneous public disclosure policy and disclose the information on the date agreed upon with JPCERT/CC.