MontaVista Software

Vulnerability Response Policy

 

Introduction

MontaVista (MV) strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation options to address vulnerabilities. The MontaVista Product Security Incident Response Team (MV PSIRT) is responsible for coordinating the response to, and disclosure of, product vulnerabilities impacting MontaVista products.

Handling Vulnerability Reports

As per this policy, all information disclosed about new vulnerabilities is considered confidential and shall only be shared between MontaVista and the reporting party if the information is not already public knowledge until a remedy is available and disclosure activities are coordinated.

Vulnerability Remediation

After investigating and validating a reported vulnerability, we strive to develop and qualify an appropriate remedy for our products under active support from MontaVista. A remedy can take one or more of the following forms:

MontaVista makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines depend on many factors, such as:

How MontaVista Rates the Severity and Impact of Vulnerabilities

MontaVista uses the Common Vulnerability Scoring System standard, version 3.0 (CVSS v3.0) to communicate the characteristics of vulnerabilities in MontaVista products. The standard is maintained by FIRST.

CVSS scoring provides a numerical means to quantify the severity of the vulnerability, and considers several factors, including the level of effort required to exploit a vulnerability as well as the potential impact should the vulnerability be exploited. MontaVista will summarize the assessed impact of a vulnerability by way of a numeric score, vector string and qualitative representation of the severity (i.e., one of Critical, Serious, Normal, Low), as per the scale provided below:

Severity
CVSS v3.0 Score
Critical
9.0 - 10
Serious
7.0 - 8.9
Normal
4.0 - 6.9
Low
0.1 - 3.9


Please note that it is not uncommon for MontaVista’s evaluation of a vulnerability, CVSS score and/or Vector String to differ from those provided by other sources. In the event of a discrepancy, MontaVista will use the information contained in the MontaVista Security Advisories as the authoritative source of information.

External Communications

MontaVista publishes security advisories, notices, and information articles to communicate with customers about security vulnerabilities that affect our products.

Security advisories are released to provide guidance or instructions on how customers can protect themselves, mitigate, and/or remediate vulnerabilities once MontaVista has analyzed and identified solutions.

Security Advisories are intended to provide sufficient detail to assess the impact of vulnerabilities and to remedy potentially affected products. However, full details may be limited to reduce the likelihood that malicious actors can take advantage of the information provided and exploit it to the detriment of our customers.

MontaVista Security Advisories will typically include the following information, as applicable:

On a case-by-case basis, MontaVista may publish a Security Notice to acknowledge a publicly known security vulnerability and provide a statement or other guidance regarding when (or where) additional information will be available.

MontaVista may publish security related Informational Articles to share information about security-related topics such as:

MontaVista Security Advisories and Notices are available at https://support.mvista.com/Security/CVE/. Additional information is available at this link when authenticated.

How to Report a Security Vulnerability

If you identify a security vulnerability in any MontaVista product, we ask you to report it to us as soon as possible. Timely identification of security vulnerabilities is critical to mitigating potential risks to our customers. Security researchers should submit product vulnerability reports via security@mvista.com.

Our Customers, partners, vendors, and other users  can send vulnerability reports directly to the MontaVista PSIRT via email. Email messages and attachments can be encrypted using PGP and a MontaVista PSIRT PGP key, which is available for download here.

The MontaVista PSIRT team will work with other groups to address the reported issue and provide customers with next steps.

When reporting a potential vulnerability, we ask that you include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

Notifying MontaVista of Other Security Issues

Use the appropriate contacts listed below to report other types of security issues to MontaVista:

Security Issue
Contact Information
To report a security vulnerability or issue in mvista.com, support.mvista.com or any other online service, web application or property. Submit a report to security@mvista.com with step-by-step instructions to reproduce the issue.
To submit privacy related requests or questions. See MontaVista Privacy

Limitations

MontaVista support cannot provide information about the specifics of vulnerabilities beyond what is provided in the Security Advisory or related documentation, such as release notes, knowledgebase articles, and FAQs (Frequently Asked Questions). Further, MontaVista does not share verified exploits or proof of concept code for identified vulnerabilities unless publicly available. In accordance with industry practices, MontaVista does not share test results or proof of concepts from internal security testing, or other types of privileged information, with external entities.

Customer Entitlements: Warranties, Support, and Maintenance

MontaVista customers’ entitlements regarding warranties, support, and maintenance—including vulnerabilities in any MontaVista software product—are governed solely by the applicable agreement between MontaVista and the individual customer. The statements in this document do not modify, enlarge, or otherwise amend any customer rights or create any additional warranties.

Disclaimer

All aspects of this Vulnerability Response Policy are subject to change without notice. Response is not guaranteed for any specific issue or class of issues. Your use of the information in this document or materials linked herein is at your own risk.

References

Inspired by Dell's Policy Dell Vulnerability Response Policy

Update History

October 28th, 2022 Website updated to include Policy

Version: 1.0