Ericsson places a high priority on security concerns and we are strongly committed to safeguarding our customers. Our goal is to timely analyze, validate, and provide corrective actions to address reported issues.
This policy outlines the procedures for reporting vulnerabilities to Ericsson, provides guidance to the vulnerability reporters and explains what you can expect once we receive your report. Ericsson reserves the right to deviate from this policy when necessary.
For detailed insights into the vulnerability management process followed by the Ericsson Product Security Incident Response Team (PSIRT), please visit the Ericsson PSIRT webpage.
Reporting product vulnerabilities
If you need to report a potential security vulnerability in any Ericsson product, please use one of the following methods:
For additional security we highly recommend encrypting your email by using Ericsson PSIRT PGP public key.
All existing customers and suppliers should directly connect with their Ericsson contacts using the established channels to report any security concerns.
When reporting a product security vulnerability, you should include at least the following information to help us understand the scope and impact of the issue:
1. Name and version of the affected product or software
2. Detailed instructions to replicate the vulnerability
3. Proof-of-concept or exploit code
4. Potential implications of the concern
5. Public disclosure plans
Upon successful receipt of the report, our security team will send an acknowledgment to the reporter and begin the process of analyzing, validating, and corrective actions to address the vulnerability.
All information received in the report is treated with the utmost care and is considered confidential. They are shared only with the relevant stakeholders on a need-to-know basis.
For reporting security concerns in Ericsson IT systems such as Ericsson website vulnerabilities, or non-product related issues, please use one of the following methods:
For additional security you can encrypt your email by using Vulnerability Disclosure PGP public key.
Code of conduct
By participating in our vulnerability disclosure program, we expect the following from you:
- Perform only the minimum non-destructive actions necessary to obtain the proof of concept.
- Do not engage in any activities that could be damaging or disruptive to the availability or performance of the targeted systems.
- Do not violate any applicable laws or breach any agreements.
- Always secure permission from the operator of the equipment.
- To protect our customers and critical infrastructure deployments around the world, we request you refrain from publicly disclosing any vulnerabilities until we have addressed the issue.
- Please inform us as soon as possible if you have any plans for disclosure.
Ericsson vulnerability remediation and response process
After validating the vulnerability, we will work to provide a resolution, updates and collaborate with you, as needed, throughout the vulnerability investigation process.
Ericsson uses the Common Vulnerability Scoring System (CVSS) as a part of its standard process for determining the severity of reported potential vulnerabilities along with other factors like scope and product impact.
The timelines to respond and address vulnerability depend on several factors such as the severity of the vulnerability, the scope and complexity of the issue, and the product life cycle.
If we discover or identify a vulnerability in products or code developed by other vendors, we will communicate the response to the reporter and support to communicate the vulnerability to the relevant vendor to the best of our knowledge.
Scope for assigning Ericsson CVE
Our scope includes all vulnerabilities present in the products that Ericsson develops and sells as market offerings until they reach the end-of-support milestone.
Ericsson assigns CVE (Common Vulnerabilities and Exposures) identifiers for qualifying product vulnerabilities reported by external finder/reporter and if we make changes in Ericsson’s own proprietary code and the solution requires a customer to apply fixes such as deploying new software.
Security Bulletin and external communications
When a reported vulnerability is addressed and a solution is available, we will notify the affected customers using the appropriate communication channels. If Ericsson assigns a CVE, we will publish the CVE and security bulletin on our public page.
The security bulletin will include a brief description of the vulnerability, Ericsson’s severity assessment rating using CVSS, and the CVE identifier, and, if applicable details of the affected products and versions, along with guidance on addressing the issue.
We will offer a formal acknowledgment, provided your research is conducted, as per this policy, and you are the first to report the issue.
If you consent to the acknowledgment, we can mention your name on our Acknowledgements webpage. If a security bulletin is published on our public page, we will give you credit for your findings.
Please note that we do not currently have a bug bounty program, nor do we offer any other rewards.
If you have any questions or comments regarding this policy, please contact Ericsson PSIRT.