When to contact us?
Ericsson PSIRT should be contacted when:
- A potentially exploitable security vulnerability in one of Ericsson products/solutions is identified
- Security vulnerability coordination contact is needed involving any Ericsson product/solution
Note: All security related concerns for existing customers are handled through the Customer Support channel according to the support agreements.
Ericsson PSIRT uses the firstname.lastname@example.org email address for all vulnerability disclosure and coordination communications. To ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail using PGP. More info is available in the contact section below.
The mail should preferably have the following information:
- Contact name and organization
- Ericsson products/solutions and versions affected
- Description of the potential vulnerability
- Including detailed technical description
- Information about known exploits
- Disclosure plans, if any
- Do not include any attachments in your first email as the email might get automatically filtered out. PSIRT will arrange for secure file transfer if required.
Please note that the above information is preferred but not mandatory. PSIRT expects to be informed about a potential vulnerability immediately. The missing information can be shared in further communication.
What will happen next?
Ericsson PSIRT will respond to the vulnerability reporter and establish communication to exchange further information and to acknowledge that the report has been received.
Reported issues towards Ericsson portfolio will be investigated and coordinated by Ericsson PSIRT. All vulnerability details are handled with high confidentiality on a need to know basis both internally and externally.
During the vulnerability coordination Ericsson PSIRT will continue to collaborate with the reporter to get more detailed information and to keep them apprised about the progress as much as confidentiality allows.
When the coordination/investigation process of the reported vulnerability has concluded, PSIRT will communicate appropriate details back to the reporter and any other relevant parties.
The decision of when and where the reported vulnerability is published is determined case-by-case. PSIRT aims to share vulnerability details with relevant parties as soon as possible after the internal investigation has concluded.
PSIRT may recognize researchers on the Acknowledgements page for a responsible and valid disclosure. PSIRT reserves the right to make the decision case-by-case.
PGP key fingerprint:
A963 712B 498D 5514 73EB 1E6A 6104 38AC BE53 8FDE
Ericsson PSIRT PGP key (.txt)
Note: Please encrypt all of your messages with the above PGP key and include your own public key in the email.