Vulnerability Handling Process
We gather and evaluate vulnerability information that may affect our products and services. Based on the results of this assessment, we promptly respond to vulnerabilities and coordinate with relevant security authorities and customers to prevent security incidents.
In order to cooperate with the security activities of our customers and the international community, we participate in the "Information Security Early Warning Partnership
" promoted by the Information-Technology Promotion Agency (IPA). This helps ensure that vulnerability information can be appropriately shared with security authorities in each country and industry.
In addition, to appropriately respond to vulnerabilities affecting our products and services, we have established a vulnerability response process based on the "PSIRT Services Framework," a framework provided by FIRST, an international forum on security incidents. The steps are summarized below.
1. Obtaining Vulnerability Information
We gather information on vulnerabilities that may affect our products and services from both internal and external sources. We welcome inquiries and reports from customers, security organizations, and researchers in each country and industry to ensure we receive comprehensive vulnerability information.
Please report any vulnerabilities in our products and services using the following form:
2. Vulnerability Assessment
We evaluate the impact of vulnerability information obtained from internal and external sources on our products and services.
For vulnerability information reported from external sources, we may request additional details as necessary.
3. Vulnerability Response
If we confirm that a vulnerability affects our products and services, we will respond according to the assessed security risk
We will continue to communicate with the reporter regarding vulnerability information provided from outside the company, respecting the reporter's preferences as far as reasonably possible until the issue is resolved.
4. Disclosure of Vulnerability Information
We disclose vulnerability information as part of our response to vulnerabilities in our products and services.
We have established our "Vulnerability Disclosure Policy" to help ensure the security of our products, services, and the broader international community. If you are a security researcher or anyone providing vulnerability information, please review our policy first. Additionally, if you choose to disclose vulnerability information yourself, we ask that you consider the purpose of our policy and the overall public interest in managing security risks.
Vulnerability Disclosure Policy
We have implemented a vulnerability disclosure policy to ensure that sharing information does not compromise the public interest or increase security risks for our customers.
Disclosure Recipients
We generally disclose vulnerability information only to parties who need it to implement appropriate security measures. If the owner of the affected product cannot be identified, we may publish the information on our website. If the owner can be identified, we will normally disclose details only to relevant parties.
Disclosure Details
In principle, vulnerability disclosures will be limited to information necessary for implementing security measures, such as the affected component, the impact, and recommended mitigations.
If we disclose a vulnerability based on information reported by an external party, we will coordinate the disclosure details with the reporter in advance.
For those who have contributed to the disclosure of vulnerability information, we will write an acknowledgment in the disclosure content with their consent. If multiple people report the same issue, we will acknowledge the first reporter.
Disclosure Timing
In principle, we will disclose vulnerability information only when both of the following conditions are met:
- (1)Sufficient countermeasures are available; and
- (2)The disclosure date is coordinated with all relevant parties, including external stakeholders.
Handling of Disclosed Information
Please be aware that you may not reproduce or reuse any information disclosed by our company without our permission.