During the whole process, PSIRT will strictly control the scope of information distribution amongst employees relevant to the vulnerability response. Meanwhile, PSIRT will also request the vulnerability reporter keep the vulnerability confidential until Huawei releases the public Security Advisory (SA)
Huawei uses two methods to disclose the security vulnerabilities:
When we release the public SA in the official website , we may also release the SA in text format on security forums, vulnerability database or email lists, however only The official Huawei website will be kept up-to-date with the current information
PSIRT uses CVSSv3 to give the Base Score, Temporal Score and attack vector of each vulnerability in the SA. The Environmental Score will be given by the customer based on their own environment. For the CVSSv3 standard, please refer to: https://www.first.org/cvss/specification-document
Huawei uses CVE (Common Vulnerability and Exposures) to quote the vulnerabilities outside of Huawei vulnerability disclosure websites.
Huawei PSIRT releases SAs in real time or regularly (on each Wednesday).