3Com Vulnerability Disclosure Policy
This policy outlines how 3Com handles responsible vulnerability disclosure to product vendors, 3Com customers, security vendors and the general public.
3Com will responsibly and promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to security@, support@, info@, and secure@company.com with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, 3Com may distribute vulnerability protection filters to its customers' IPS devices through the Digital Vaccine service.
If a vendor fails to acknowledge 3Com's initial notification within five business days, 3Com will initiate a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, 3Com may rely on an intermediary to try to establish contact with the vendor. If 3Com exhausts all reasonable means in order to contact a vendor, then 3Com may issue a public advisory disclosing its findings fifteen business days after the initial contact.
If a vendor response is received within the timeframe outlined above, 3Com will allow the vendor a reasonable period of time to develop a fix to the identified vulnerability. 3Com will use its discretion to determine what constitutes a "reasonable period of time" for a vendor fix to be developed on a case-by-case basis. 3Com will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, 3Com will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no cases will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it.
Before public disclosure of a vulnerability, 3Com may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base. Such a security vendor must show they are able to provide security protection for vulnerabilities, while at the same time not revealing the technical vulnerability details in their product updates.
3Com will formally and publicly release its security advisories on its Web site and on selected security mailing list outlets.
