Vul. Response Process
During the whole process, PSIRT will strictly control the scope of information distribution amongst employees relevant to the vulnerability response. Meanwhile, PSIRT will also request the vulnerability reporter keep the vulnerability confidential until Huawei releases the public Security Advisory (SA)
Huawei uses two methods to disclose the security vulnerabilities:
- SA（Security Advisory)：to provide confirmed technical information, including but not limited to the mitigation measures and solutions;
- SN（Security Notice）：to provide general information related to the security vulnerability when the external parties have found or are concerned about Huawei vulnerability and Huawei hasn’t confirmed the provided information at this point.
When we release the public SA in the official website , we may also release the SA in text format on security forums, vulnerability database or email lists, however only The official Huawei website will be kept up-to-date with the current information
PSIRT uses CVSSv3 to give the Base Score, Temporal Score and attack vector of each vulnerability in the SA. The Environmental Score will be given by the customer based on their own environment. For the CVSSv3 standard, please refer to: https://www.first.org/cvss/specification-document
Huawei uses CVE (Common Vulnerability and Exposures) to quote the vulnerabilities outside of Huawei vulnerability disclosure websites.
Huawei PSIRT releases SAs in real time or regularly (on each Wednesday).
Huawei assumes no responsibilities for the accuracy, integrity, sufficiency and reliability of the content and information in this Policy. All express or implied warranties are expressly disclaimed. Without limitation, there is no warranty of non-infringement and no warranty of fitness for a particular purpose. Your use or interpretation of the information provided in this document is at your sole risk. Any information provided in this document is subject to correction, revision and change without notice