Brovi's Principles for Vulnerability Management
Brovi Company has always regarded the construction and comprehensive implementation of an end-to-end global network security guarantee system as one of its important development strategies, and has established a sustainable and reliable vulnerability management system from policies, organizations, processes, management, technology, and standards. In an open manner, it works with external stakeholders to jointly address the challenges of vulnerabilities.
To clarify Brovi Company's basic stance and proposition on vulnerabilities, Brovi Company proposes five basic principles for vulnerability management:
1. Reduce injury and risk
Reducing or eliminating the harm caused to customers by vulnerabilities in Brovi products and services, and reducing the potential security risks that vulnerabilities bring to customers/users, is not only our vision for vulnerability management, but also the value guidance we follow in vulnerability disposal and disclosure.
2. Reduce and mitigate vulnerabilities
Despite the industry consensus that vulnerabilities are inevitable, we will still strive to: 1) take measures to reduce vulnerabilities in products and services; 2) Once vulnerabilities in products and services are identified, timely risk mitigation plans are provided to customers/users.
3. Proactive management
The vulnerability issue requires joint efforts from upstream and downstream of the supply chain to solve. We will proactively identify our own responsibilities in vulnerability management and clarify jurisdictional boundary requirements, including regulatory requirements, contract requirements, and applicable public standards for business operations. We will build a management system and actively manage it.
4. Continuous optimization
Network security is a dynamic process of continuous evolution, and with the evolution of threats, defense also needs to continue to innovate. We will continue to optimize the workflow and standards related to vulnerability management, continuously draw on industry standards and excellent practices, and enhance our maturity in vulnerability management.
5. Open collaboration
We will uphold an open and cooperative attitude, strengthen the connection between the supply chain and the external security ecosystem, including upstream and downstream of the supply chain, security researchers, security companies, security regulatory agencies, etc; And strengthen collaboration with stakeholders in vulnerability related work, building trustworthy cooperative relationships.
Based on the above principles, Brovi Company has established a comprehensive vulnerability management process. Brovi Company always adheres to a responsible attitude and is committed to protecting customers to the greatest extent possible and reducing the risk of vulnerabilities being exploited.
Vulnerability handling process
Brovi Company is committed to improving the security of Brovi products and fully supporting the secure operation of customer networks and businesses. Brovi Company attaches great importance to vulnerability management in product development and maintenance, establishes a complete vulnerability handling process to improve product security and ensure timely response when vulnerabilities are discovered.
1. Vulnerability perception: Accept and collect suspected vulnerabilities of the product;
2. Verification&Evaluation: Confirm the effectiveness and scope of impact of suspected vulnerabilities;
3. Vulnerability patching: Develop and implement vulnerability patching plans;
4. Release of vulnerability patch information: Release vulnerability patch information to customers;
5. Closed loop improvement: Continuously improve based on customer feedback and practice.
The first detection of vulnerabilities is an important prerequisite for timely response. On the one hand, Brovi Company encourages security researchers, industry organizations, customers, and suppliers to proactively report suspected vulnerabilities to Brovi PSIRT, and constrains upstream suppliers to timely report vulnerabilities in deliverables to Brovi Company. On the other hand, Brovi Company actively monitors well-known public vulnerability libraries, open source communities, secure websites, and other information sources to timely perceive vulnerability information related to Brovi products. Brovi Company will manage suspected vulnerabilities detected and verify the impact of all non EOS (End of Service&Support) product versions.
For any suspected vulnerabilities reported to Brovi PSIRT, PSIRT will analyze/verify the vulnerabilities together with the product team, evaluate the severity level of the vulnerabilities based on their actual impact on the product, determine the priority of patching, and develop vulnerability patching plans (including mitigation measures, patches/versions, and other customer executable risk mitigation plans). Brovi Company, based on the principles of reducing harm and risk, releases vulnerability information to stakeholders to support customers in assessing the actual risks of vulnerabilities to their networks.
If during the product development, delivery, and deployment process, Brovi Company discovers vulnerabilities in the supplier's products or services, it will actively communicate repair requirements to the supplier.
Brovi PSIRT will coordinate with the vulnerability reporter to handle the situation, act as a coordinator or through a third-party coordination center, report the vulnerability to other vendors, standard organizations, etc., and promote the resolution of the vulnerability. If the vulnerability involves standard protocols, it is recommended that the reporter submit it to Brovi PSIRT and also inform industry organizations simultaneously. For example, vulnerabilities related to the 3GPP communication protocol can be synchronously submitted to
the GSMA Coordination Vulnerability Disclosure Plan (CVD).
Based on the principle of continuous optimization, Brovi Company will continue to improve product security, vulnerability handling processes, and other aspects.
Throughout the entire vulnerability handling process, Brovi PSIRT will strictly control the scope of vulnerability information and only transmit it between relevant personnel handling the vulnerability; We also request the reporter to keep this vulnerability information confidential until our client obtains a complete solution.
Brovi Company will take necessary and reasonable protective measures for the data obtained based on legal compliance requirements. Unless the affected customers explicitly request or are legally required, Brovi will not actively share or disclose the above data to other parties.
Vulnerability severity level assessment
Brovi Company adopts industry standard to assess the severity level of suspected vulnerabilities in its products. Taking
CVSS (Common Vulnerability Scoring System) as an example, this model includes three indicator groups: basic indicator group, time indicator group, and environmental indicator group. Brovi Company will provide basic vulnerability ratings, and in some cases, time vulnerability ratings and environmental vulnerability ratings for typical scenarios. Brovi Company encourages end-users to evaluate environmental vulnerability ratings based on their actual network conditions, as the final vulnerability rating for this vulnerability in their specific environment, to support the deployment decisions of user vulnerability reduction plans.
Due to different industries adhering to different standards, Brovi Company uses Security Severity Rating (SSR) as a simpler grading method. SSR classifies vulnerabilities into five levels based on the comprehensive score of vulnerability severity assessment, including Critical, High, Medium, Low, and Informational.
Third party software vulnerabilities
Due to the diversity of ways and scenarios in which Brovi products integrate third-party software/components, Brovi Company will adjust the vulnerability rating of third-party software/components based on the specific scenario of the product to reflect the true impact of vulnerabilities. For example, if the affected module of a third-party software/component has not been called, it is considered that the vulnerability cannot be exploited and is not affected. If the existing evaluation system cannot cover the dimensions of evaluation, Brovi Company is responsible for explaining the evaluation results.
If the following three criteria are met simultaneously, Brovi Company will label this vulnerability as "High Profile":
· A CVSS score of 4.0 or above.
· This vulnerability has attracted widespread public attention.
· The vulnerability is likely or already has an available Exploit, which may or is currently being actively exploited.
For third-party vulnerabilities in the "High profile", Brovi Company will verify all non EOS product versions and, upon confirmation as a "High profile" vulnerability, issue an SN (security notice) within 24 hours to notify relevant customers of Brovi Company's handling of this vulnerability. When there is a vulnerability repair plan, Brovi Company will provide risk decision-making and mitigation support to affected customers through an SA (security notice). For third-party vulnerabilities that are not classified as "High profiles", Brovi Company explains them in the version/patch instructions.
Publish vulnerability information announcement
Announcement form
Brovi Company releases vulnerability information and repair plans in the following three forms:
· Security Advisory: SA (Security Advisory), which includes information such as vulnerability severity level, business impact, and repair plans to convey vulnerability repair plans. Security Notice (SA) is used to publish critical and high level vulnerability information and repair plans directly related to Brovi products. The Security Notice (SA) provides an option to download the Common Vulnerability Reporting Framework (CVRF) content, aimed at describing vulnerability information in machine readable format (XML file) to support tool usage by affected customers.
· Security Notice: SN (Security Notice), which includes responses to public security topics related to the product (including vulnerability and non vulnerability related topics). Security Bulletins (SN) are used to publish information related to issues assessed as informative by SSR, such as those discussed in public forums (such as blogs or discussion lists). At the same time, security announcements (SN) are also used as a way to respond to special scenarios that may attract widespread public attention to vulnerabilities in Brovi product versions or where Brovi has already observed active exploitation of vulnerabilities, so that relevant customers can understand the progress of Brovi's response to this vulnerability.
· Version/patch instructions: RN (Release Note), the version/patch instructions contain information on patched vulnerabilities. As part of the accompanying deliverables for product version/patch release, it is used to illustrate vulnerabilities that have been evaluated as medium and low in SSR. For the convenience of customers to comprehensively evaluate the vulnerability risks of versions/patches from the perspective of versions/patches, the version/patch instructions (RN) also include vulnerability information and repair plans published through security notices (SA). For the terminal scenario, Brovi Company includes it in the routine patch announcement.
Announcement channels
Brovi Company has issued security notices (SA) and security announcements (SN) to support relevant customers in obtaining vulnerability repair information. The version/patch manual (RN) is a part of the delivery package that accompanies the release of product versions/patches, and customers can obtain it through the channels for obtaining product versions/patches.
Announcement plan
When one or more of the following conditions are met,
Brovi Company will release an SN or SA to provide customers with on-site risk decision support.
· The Security Severity Level (SSR) is defined as a "Critical" or "High" vulnerability, and
Brovi Company completes the vulnerability response process and can provide vulnerability repair solutions to support customers in reducing network risks.
· When it may attract widespread public attention to vulnerabilities in the versions of Brovi products or when Brovi
Company has observed active exploitation of vulnerabilities, which may increase the risk faced by Brovi customers, Brovi Company will accelerate the response process and update the progress of vulnerability response.
Instructions for obtaining software updates
Vulnerability management is based on the lifecycle milestones of product/software versions, and
Brovi PSIRT will manage vulnerabilities in all product versions before the cessation of service and support (EOS). Vulnerability patching will be provided before EOFS (cessation of full support), and after EOFS, critical or high vulnerabilities in SSR will be patched as appropriate. The product team may have milestones beyond the definition of this strategy, and for such vulnerability patching situations, specific product documentation should be consulted to understand the repair support provided.
Customers can upgrade to new product/software versions or install the latest patches to mitigate vulnerability risks according to the contract. Customers can only obtain and use software versions that have purchased valid licenses (current activated licenses). Products/versions that fix vulnerabilities do not grant customers the right to obtain new software licenses, other software features/features, or major version upgrades.
Disclaimer&Reserved Permissions
If there are multiple language versions of this article, and there are differences between different languages, the "Chinese" version shall prevail. The strategy description in this article does not constitute a guarantee or commitment, nor does it form part of any contract.
Brovi may adjust the above strategy at its discretion.
Brovi Company reserves the right to change or update this document at any time, and we will update this policy statement as necessary to increase transparency or respond more actively, such as:
· Feedback from customers, regulatory agencies, industries, or other stakeholders.
· Changes in overall strategy.
· The introduction of best practices, etc.
When making changes to this policy statement, we will revise the "update date" at the bottom of this policy.
definition
The following definitions are used in this strategy:
name
|
definition
|
CVSS
|
Common Vulnerability Scoring System
|
GSMA CVD
|
GSMA Coordinated Vulnerability Disclosure
|
SSR
|
Security Severity Rating
|
EOFS
|
End of Full Support,Stop comprehensive support. Stop fixing newly discovered defects in the version and no longer provide new patch versions. Any discovered defects will continue to be analyzed and fixed through technical analysis;
|
EOS
|
End of Service & Support,Stop service and support. We will no longer provide any technical service support, including locating new issues and fixing defects.
|