Skip to content
  • There are no suggestions because the search field is empty.

CS Guide: Handling and Escalation Procedures for Security Vulnerabilities in RSA Products

Issue

An RSA product reportedly contains one or multiple security vulnerabilities.
An RSA product embeds a third-party component that has a security vulnerability.

Keywords to identify security vulnerability:
 

Resolution

  1. Determine customer issue is a security vulnerability condition using the identified key words as described above.
Note: Some issues may be classified by RSA Product Security Incident Response Team (PSIRT) as security defects rather than security vulnerabilities.  For more details, refer to PSIRT guidance for handling non-vulnerability security weakness.  Also refer to PSIRT guidance for parsing and reporting vulnerability scan reports.
  1. For a security vulnerability, the Case priority must be set to HIGH. Severity of the Case should be set according to the published definition of severity levels (refer to Defining Case Severity Levels on RSA Link).
  2. Search for an existing resolution:
    1. Review the list of Product and Security Advisories, or search for the CVE number on RSA Link (https://community.rsa.com).
    2. Check Release Documentation to see whether the issue has been resolved.
    3. Check knowledgebase for resolution.
      • Search the knowledge base by CVE # (Example of a CVE Identifier: CVE-1999-0517).
      • Check the Engineering defect tracking system for a resolution, if one cannot be found in the knowledge base.
  3. Provide the response to customer IF a solution was previously made available externally in any of the following ways:
  • Solution found on RSA Link in a Product or Security Advisory.
  • Solution found in Release Documentation.
  • Solution found in an external facing knowledgebase.
  • Solution found in the knowledgebase marked as internal-only but includes statement(s) for communicating to customers.
  1. Report the issue to Engineering and PSIRT IF no customer facing response is available; for example, in the following scenarios:
  • No reference found on RSA Link, Product or Security Advisories, Release Documentation
  • No reference found in the knowledgebase.
  • Reference is found in the knowledgebase but the article is marked as internal only AND there is no statement available for customer communication.
  • No reference found in Engineering bug tracking system.
  • Reference is found in Engineering bug tracking system but the issue is either unresolved or no customer facing response is available. Any response back to the customer must be vetted by PSIRT/Engineering (Product Vulnerability Response Champion).
  1. How to report the issue to Engineering and PSIRT:
    1. Create a new Engineering ticket in the bug tracking system (such as JIRA). For some product support teams (e.g., SecurID), the Support Case may need to be escalated to Tier 2 for reporting to Engineering. Follow the Case handling process for your team. Make sure all information provided to PSIRT (Step 6b) is also saved in the Engineering ticket.
    2. Report the issue to PSIRT by submitting the following required information via email to responsibledisclosure@rsa.com. A PSIRT Ticket (in RSA JIRA) will be created by a member of the team and provided for your tracking purposes.
  • Product Name.
  • Product Type: Software or Appliance/Virtual Appliance.
  • Product Versions.
  • Summary.
  • RSA Salesforce Case Number.
  • Customer Name.
  • Engineering Defect/Bug Number.
  • Source of Detection: Vulnerability Scanner, Penetration Test/Security Audit, Other.
  • Description of the Vulnerability.
  • Steps to Reproduce the Vulnerability.
For Third Party Component issues please include these additional fields:
  • Name of Third-Party Component.
  • Operating System Impacted.
  • CVE Identifiers.
  • How is the Component used? Shipped with or Installed by RSA Product or Customer Installed/Managed Component.
NOTE: Once a PSIRT ticket is created in the RSA JIRA, the reporting CS representative will be given access to the ticket for monitoring progress. The PSIRT will work with the product Engineering team to collect a product impact statement. Do not share any information from the ticket with customers without consultation with PSIRT. All information in the PSIRT ticket is considered "Internal Use Only". For any questions or issues, contact PSIRT (at responsibledisclosure@rsa.com).
  1. When an official response vetted by PSIRT/Engineering is available in the PSRC ticket, create/update a new internal-only knowledgebase article using the Security KB template as directed by the PSRC. Information on creating a Security KB article can be found on RSA Link at https://community.rsa.com/docs/DOC-41361. For false positives, follow the guidelines available on RSA Link at https://community.rsa.com/docs/DOC-75294.
  2. Once an official response has been approved by PSIRT/Engineering (Product Vulnerability Response Champion), communicate the response back to the customer.
  3. Close the case, provide specific resolution codes using the following guidelines (refer to Salesforce Playbook on RSA Link and Resolution Codes on Inside Dell):
 

Notes

Training available on Dell EMC Education and Development site:

  1. RSA CS Security Vulnerability Response Process Training:  https://education.emc.com/index_login.htm?id=914342921 (use Internet Explorer)
  2. Introduction to Vulnerability Response:  https://dell.sabacloud.com/Saba/Web_spf/PRODTNT091/common/ledetail/cours000000000376831 (use Internet Explorer)

References:

Product Details

THIS SOLUTION IS FOR INTERNAL USE ONLY - DO NOT DISTRIBUTE
All RSA Products
Security Vulnerability

Summary

CS Guide: Handling and Escalation Procedures for Security Vulnerabilities in RSA Products


Approval Reviewer Queue

Non-Product Approval Queue