阿鲁巴Product Security Incident Response Policy

范围

阿鲁巴’s Security Incident Response Team (SIRT) is responsible for receiving, tracking, managing, and disclosing vulnerabilities in Aruba products. The Aruba SIRT actively works with industry, non-profit, government organizations, and the security community when vulnerabilities are reported. A security vulnerability is defined as any weakness in a product that allows an attacker to compromise the confidentiality, integrity, or availability of a product, customer infrastructure, or IT system through an Aruba product in that environment.

Aruba Sirt活动涵盖了由Aruba品牌名称，包括Aruba的SaaS解决方案（例如Aruba Central）制造或出售的产品Aruba（Aruba）。只有当前支持并且尚未达到支持里程碑日期的产品和软件发行阿鲁巴End of Life pageare covered. In addition to Aruba-branded products, the Aruba SIRT also covers currently-supported products manufactured by Aruba subsidiaries or acquisitions, as well as currently-supported switching products with the HP ProCurve brand name.

阿鲁巴’s SIRT operates in accordance with ISO/IEC 29147:2018.

与阿鲁巴联系以寻求安全帮助

Aruba产品 - 一般安全查询

Many customers have questions and concerns regarding the security of Aruba products, including the following:

• Generic security questions
• Security-related configuration questions not covered in the hardening guide
• Questions on whether or not you are experiencing a product vulnerability
• Questions related to specific CVE(s)
• Questions related to the results of a vulnerability scanner
• Need emergency support assistance

In general, your first contact for these types of inquiries should be to the Aruba Technical Assistance Center (TAC) using the following contact information.

Emergency Support for Switching Products (including HP ProCurve)	Emergency Support for All Other Aruba Products
+1 844 806-3425 (North America)	+1 800 943-4526或+1 408 754-1200（北美）
Contact info outside of North America	Contact info outside of North America
Submit a report online

Non-Aruba HPE Products

To report vulnerabilities in other non-Aruba HPE products please contact theHPE PSIRTthroughhttps://www.hpe.com/h41268/live/index_e.aspx?qid=11503。

Aruba的网站，数字工作场所系统或非产品相关事件

Please emailsecurity@hpe.com。

Aruba可疑产品漏洞

If you have discovered a suspected product vulnerability with any Aruba product, with POC (proof of concept) code or procedures and/or all of the details below that indicates possible compromise of an Aruba product or the environment (due to an Aruba product vulnerability) please directly contact the Aruba SIRT.

The preferred method to reporting such product vulnerabilities to Aruba is by sending an email tosirt@arubanetworks.comusing our public PGP key (ID 0x458586D9), that can be found on public key servers or also atwww.nexbus-cng.com/support-services/public-key。

If you have information about a security issue or vulnerability with a Silver Peak product or technology,contact the Silver Peak Security Incidence Response Team。

Please make sure to include in your email:

1. 对问题的高级描述以及我们可以与谁可以回答所有相关问题的技术联系
2. 涉及的Aruba硬件列表
3. 阿鲁巴software versions involved
4. A detailed description of the issue which ideally provides enough information to reproduce the problem
5. Logs, crash dumps, screenshots and other supporting information

If your email matches the criteria above, the Aruba SIRT will acknowledge your email within 24 hours. After acknowledging the email, we request five business days to validate the reported finding and prepare a response or request more information, if needed. We appreciate if you could wait for our response prior to reporting the problem to others.

The Aruba SIRT is not responsible for any “non-product” HPE or Aruba IT system, network, or website. Please see contacts above for the respective products and services.

Aruba Sirt无法进行事件响应或与客户环境中部署的产品相关的法医调查，但是如果客户发起的调查发现了以前未知的产品脆弱性的证据，则将提供支持。

阿鲁巴’s Commitment to Product Security and Integrity

阿鲁巴product development practices generally align with the OWASPOpenSAMMframework, and most Aruba products are designed to comply with relevant ISO/IEC 15408 (Common Criteria) protection profiles.

HPE and Aruba corporate policies prohibit intentional product features or capabilities that allow unauthorized device or network access, exposure of sensitive customer data, or bypass of security features. These include, but are not limited to:

• Undisclosed unauthorized device access methods (i.e. "backdoors")
• Intentional protocol or cryptographic weaknesses
• Hardcoded or undocumented accounts and account credentials
• Covert communication channels
• Undocumented features that allow copy or diversion of network traffic

阿鲁巴considers such product behaviors to be serious vulnerabilities and will treat them as such by correcting the vulnerability and issuing vulnerability disclosures.

阿鲁巴对安全社区的承诺

阿鲁巴has consistently supported the work of the security community and security researchers, and values the work done by this community to improve the security of technology products. Aruba is committed to working with the security community to discover, verify, and respond to vulnerabilities found in our products, and encourages the community to participate in a responsible disclosure process.

To encourage responsible reporting of security vulnerabilities, Aruba will not take legal action nor request law enforcement action against any individual or group conducting legitimate good-faith security research and reporting vulnerabilities in Aruba products or services, provided those individuals or groups comply with the following guidelines:

• Provide all information necessary to reproduce the vulnerability.
• 不违反隐私的阿鲁巴岛cus吗tomers, partners, or users. If you come into possession of privacy-impacting information, securely report this information to Aruba and then destroy it.
• 不要修改不属于您的信息。
• 在公开任何信息之前，给阿鲁巴一个合理的时间来纠正和披露漏洞。Aruba Sirt愿意根据要求提供有关漏洞报告的状态更新。
• Do not violate any laws.

Specifically:

• 阿鲁巴does not consider legitimate good-faith security research to be a violation of the Aruba End User Licensing Agreement even if that research involves reverse-engineering of Aruba technology.
• 阿鲁巴will not bring a copyright infringement claim under the Digital Millennium Copyright Act against a legitimate good-faith security researcher even if that research involves circumventing security mechanisms in the Aruba products.
• Aruba不会考虑合法的善意安全研究人员访问Aruba Sirt Sirt覆盖的产品，但没有根据《计算机欺诈和滥用法》的授权或访问权限的访问权限，但前提是研究人员遵守了该政策。

阿鲁巴will provide public acknowledgement and credit to security researchers in published vulnerability advisories. Some Aruba products are part of a bug bounty program, managed by Bugcrowd, and Aruba will pay rewards to those researchers who choose to participate in this program. Payments will be made even if a researcher first reports the vulnerability directly to Aruba and then later reports it through the bug bounty program.

During the course of legitimate security research, Aruba products may be rendered inoperable (“bricked”), either intentionally or unintentionally. Aruba will make a commercially reasonable effort to assist researchers in repairing such products on a one-time basis .

阿鲁巴Security Vulnerability Response Process

All reports sent to the Aruba SIRT concerning suspected or potential existence of a vulnerability related to Aruba products are reviewed and processed by Aruba’s SIRT members. This review is performed utilizing the written description of the suspected vulnerability and any other supporting data collected by the reporter. In some cases, it is necessary to request additional information from the reporting entity in order to begin the review.

Aruba Sirt采用了详尽的审查和分析过程，旨在提供报告漏洞的最佳资格和分类。我们需要记者的详细技术信息和基于方案的描述，以确保可以完成评估。在Aruba Sirt执行初步评估之后，进行了严重程度的分配。SIRT将联系记者，以更新调查状态，如果存在一个漏洞的严重程度。Aruba Sirt将与记者合作，以确定计划的分辨率以及客户和公共通信计划。

阿鲁巴岛的衬衫已经全面负责法力ging the process of development and distribution of workarounds and patch releases for the vulnerability. This oversight is required to ensure that during the notification process, the appropriate aspects of customer support are met. Once the workarounds and patch releases are ready for customer distribution, the Aruba SIRT will publish advisories on the SIRT web site for easy access by customers.

All information received by the Aruba SIRT is considered confidential, and as such is restricted to a limited group of Aruba subject matter experts with specific skills designed to provide the most comprehensive resolution action plan. In addition, the SIRT will ask the reporter to treat the information as confidential until such a time as Aruba can provide customers with resolution plans and options for mitigation, as well as a coordinated customer and public disclosure. Where the reporter wishes to receive public acknowledgement or “credit” for finding the vulnerability, Aruba will provide that in the published security advisory.

Disclosure Guidelines

阿鲁巴handles and discloses vulnerabilities in accordance with ISO/IEC 30111.

Public disclosure of vulnerabilities will generally take place only after permanent fixes are available. Where the vulnerability occurs in multiple branches of software, or in multiple software products, Aruba will publish advisories once the last branch or product is updated and released. However, if Aruba learns that information about an unpublished vulnerability is being communicated externally, a vulnerability advisory will be published immediately along with details of any possible workaround or defense. In the case of vulnerabilities in open-source software that are being publicly discussed, Aruba will immediately issue a security advisory once it has been determined that the vulnerability affects an Aruba product.

最初的漏洞咨询将包括有关解决漏洞的漏洞，解决方法和步骤的一般信息。公共咨询是Aruba在头60天内提供给任何人的唯一信息。60天后，Aruba May自行决定公开有关该漏洞的完整详细信息。希望宣传Aruba脆弱性细节（例如在博客或会议上）的安全研究人员在发布咨询后等待相同的60天期间。礼貌，我们要求您通知阿鲁巴，将发表此类演讲。

在任何情况下，披露都不是选择性的。阿鲁巴的政策是同时通知所有客户的漏洞。没有Aruba客户，合作伙伴或第三方获得预先通知或漏洞的其他详细信息。通常在公开披露之前三天内通知Aruba的OEM合作伙伴，以允许其各自的安全响应团队为通知自己的客户做准备。Aruba的OEM合作伙伴已同意与Aruba协调漏洞通知，以便同时向所有最终用户提醒。在公开披露前约18小时，向Aruba的面向客户的员工（TAC，SE等）提供了该咨询的副本，但禁止共享该信息，直到正式发布。OEM合作伙伴和面向客户的员工仅获得公共咨询的副本；他们没有提供脆弱性的完整详细信息。

Receiving Security Advisories

安全咨询发表在阿鲁巴SIRT website。This site includes the latest advisories as well as an archive of previous advisories.

Aruba为安全咨询提供了通知电子邮件服务。要订阅此服务，请访问self-service portal。这个免费向公众提供服务is offered on a best-effort basis through a commercial mailing list provider. Aruba may offer other notification channels through premium support service offerings, but under no circumstances will Aruba offer an “advance notification” service.

About This Document

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Aruba reserves the right to change or update this document without notice at any time.