Security Advisories and Notifications Policy
Corporate Commitment
BEA Systems in committed to being a leader in secure application infrastructure. Because of this, the security of our customers' site, data, and code is one of our very highest priorities. This document summarizes BEA's commitment to the security of its products. It also outlines some the processes that BEA considers important to help address reported security vulnerabilities.
Please note that any potential security vulnerability requires a complex, in–depth investigation of the issues involved and a well–tested solution, both of which may take a considerable amount of time and effort.
Information about security vulnerabilities may originate from a number of different individuals or organizations, some of which may or may not be customers of BEA. Within this process there are two roles that individuals or organizations outside of BEA can play. The first is for those who report the vulnerability; they will be referred to as the Reporter. A Reporter is an individual or organization that directly notifies BEA of a potential security vulnerability contained in a BEA product. A Reporter is typically, but not necessarily, the individual or organization that discovered the potential security vulnerability.
The second role individuals or organizations can play is that of the Coordinator. A Coordinator is an individual or organization that works with both the Reporter and BEA to analyze and validate the vulnerability. Typically, Coordinators are often reputable, independent security organizations that specialize in tracking and notifying vendors of security vulnerabilities.
BEA gratefully acknowledges the many individuals and organizations that bring potential security vulnerabilities to our notice prior to making these vulnerabilities public knowledge. These individuals and organizations work with BEA to coordinate the distribution of resulting solutions to the general public.
Notification of Vulnerability
BEA realizes the importance of having easily accessible mechanisms for customers, individuals, and organizations to notify BEA of potential security vulnerabilities. With this in mind, BEA has established an email address to which notification of potential vulnerabilities in BEA products can be submitted:
. The use of the email alias is not limited to BEA customers or partners, but may be used by any individual or organization to notify BEA of potential security vulnerabilities.
BEA's Security Response Team monitors this email address and where appropriate will endeavor to confirm via email to the Reporter and any involved Coordinators our receipt of the notifications of the applicable vulnerability. This receipt does not necessarily imply that BEA has researched, reproduced, validated or assessed the vulnerability, but that merely BEA is aware of the notification. The receipt may indicate the priority level of BEA's Security Response Team to follow–up on the reported vulnerability.
Validation of Vulnerability
When a vulnerability notification is received by BEA's Security Response Team, BEA will typically endeavor to (i) determine if the reported vulnerability is already known to BEA, (ii) attempt to reproduce the reported vulnerability; and/or (iii) attempt to obtain additional information about the vulnerability. BEA may in certain cases refuse to validate a reported vulnerability (for example, if the reported vulnerability is found in an unsupported or discontinued product).
To help ensure the vulnerability is addressed throughout the industry, BEA may, at its discretion and as a courtesy, choose to notify other current vendors who share the same codebase as the affected product that the vulnerability has been identified and that a remedy is available.
Vulnerability Resolution
If a reported vulnerability has been appropriately validated by BEA, we will endeavor to assess the severity of the impact of the vulnerability and the likelihood of the exploitation of the vulnerability. Based on these assessments and other factors, BEA will endeavor to develop and appropriately prioritize a work–around or patch designed to reduce or eliminate the risk of the vulnerability.
After an appropriate work–around or patch for the reported vulnerability has been sufficiently developed and tested, BEA will endeavor to produce a Security Advisory notice to describe the nature of the vulnerability in such detail as BEA determines appropriate and identify the location of the patch or description of the workaround. BEA also typically rolls–up and includes all then generally available security patches in the next release or Service Pack for the affected BEA products.
Release of Security Advisory and Remedy
In order to provide customers, individuals, and organizations easy access to appropriate Security Advisory notices and remedies, BEA will generally make public appropriate Security Advisory notices and the related remedies on the publicly accessible web site.
In addition, BEA has established an email list specifically targeted for product security advisories for our customers. As a policy, BEA will generally email a notification that indicates an appropriate Security Advisory notice has been posted and instructions on the appropriate course of action.
BEA MAKES NO EXPRESS OR IMPLIED WARRANTY, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON–INFRINGEMENT WITH RESPECT TO THE INFORMATION PROVIDED IN THIS NOTICE OR ANY BEA SECURITY ALERT, RELATED WORK–AROUND; OR RELATED PATCH. ALL INFORMATION IS PROVIDED 'AS IS.'
IN NO EVENT WILL BEA HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, INCLUDING, WITHOUT LIMITATION, ANY LOST REVENUE, PROFITS OR DATA, REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF ANY USE OF THE INFORMATION CONTAINED IN THIS POLICY OR ANY SECURITY ALERT OR RELATED WORK–AROUND OR RELATED PATCH EVEN IF BEA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF SUCH DAMAGES ARE FORESEEABLE.
BEA reserves the right to change this policy at any time without notice.
|
