VCE is committed to minimizing our customer’s risk of exposure to product security vulnerabilities. VCE follows industry standard best practices in responding to potential security risks and releasing associated Security Advisories and product updates in a timely and responsible manner.
VCE’s business model involves both components created by VCE and integrated products from our corporate parents and also the broader partner ecosystem. We address vulnerability management for each of these systems:
VCE-created components: Vulnerability management for components created by VCE is integrated throughout the product lifecycle. It begins in Product Management, with the establishment of robust security requirements and works its way through the lifecycle with considerations like secure coding methods and analysis tools for vulnerability reduction, and robust quality assurance.
Integrated products: VCE integrates best-of-breed technologies from Cisco, EMC, and VMware; many have Common Criteria, FIPS 140-2, and/or other security certifications. During our product selection process, we assess how technologies impact our overall security posture with the objective of offering both defense in depth and strong point offerings for each risk domain.
In both instances, a diligent third-party product selection process, a robust solution engineering development and integration approach, and quality assurance practices; all combine to minimize our customers’ exposure to security vulnerabilities.
Vblock Systems are highly integrated converged infrastructures that comprise of multiple components. As such, when a security vulnerability is reported, VCE acts swiftly as the central point of contact for third party components – assessing the impact of each issue on the Vblock System as a whole. This requires thorough investigation, coordination, arriving at a resolution and testing appropriately. As a result, developments teams on both sides are working together expediting security fixes, treating them as ‘priority 1 issue’ and often work around the clock to deliver a patch.
While VCE is responsible for disclosing security vulnerabilities to customers, vulnerabilities will not be made public until initial reports have been investigated and validated, patches have been developed and thoroughly tested, and customers with maintenance contracts have been notified and given the chance to take recommended corrective actions.
If you identify a security vulnerability in a VCE product, please report the problem immediately. Timely identification of security vulnerabilities is critical to eliminating potential threats.
Customers, partners, and other entitled users of VCE products should contact VCE Support to report security issues discovered in VCE products. The VCE Support team in collaboration with the appropriate product team and the VCE Product Security Incident Response Team will work together on addressing the issue.
Security researchers, industry groups, vendors, and other users that do not have access to VCE Support can send vulnerability reports via e-mail to firstname.lastname@example.org. Please encrypt your message using the VCE’s PGP key, which you can right-click to download or view from this link VCE PSIRT PGP Key.
VCE is interested in working with both customers and external security researchers and will give credit to those who follow responsible disclosure practices. Responsible security researchers understand that the customer’s security is paramount, so they work with VCE’s Product Security team to make sure a patch is available, and that customers have had adequate time to deploy the patch, prior to discussing the vulnerability in public forums or releasing code. During this process, we commit to maintaining open communications channels with the finder of the vulnerability. VCE appreciates and respects the potential commercial and/or reputational importance timely disclosure may have for the finder.
In addition to working directly with the product security teams at key partners, VCE closely monitors external security resources including Carnegie Mellon University's Computer Emergency Response Team (CERT), the U.S. National Vulnerabilities Database, and Bugtraq for vulnerability notifications regarding integrated third-party products.
When VCE receives a valid vulnerability report regarding an integrated third-party product and a remedy for the vulnerability, we qualify, package, and distribute the third party’s solution to customers. Information and remedies for embedded products are also delivered through our standard customer support process.
CUSTOMER RIGHTS: WARRANTIES, SUPPORT, AND MAINTENANCE
VCE customers’ rights with respect to warranties, support and maintenance—including vulnerabilities in any VCE software product—are governed by the applicable agreement between VCE and each customer.
The statements on this web page do not modify or expand any customer rights or create any additional warranties. Any information provided to VCE regarding vulnerabilities in VCE products—including all information in a product vulnerability report—shall become the sole property of VCE.