Vulnerability Disclosure Policy

Extreme Networks, Inc. prioritizes the security of our products. We encourage the responsible disclosure of potential vulnerabilities to help us maintain a secure environment. We are committed to maintaining the highest standards of security and appreciate the efforts of the security community in identifying potential vulnerabilities.

This policy outlines our approach to handling vulnerability disclosures, including our approach to recognizing and protecting those who report under this policy

Scope

This policy applies to:

- Any potential vulnerabilities discovered in Extreme Networks, Inc.'s products and services; and vulnerabilities in open-source projects affecting Extreme Network, Inc.'s products and services that are not covered by a more specific CNA (CVE Numbering Authority). 

This policy does not apply to internal corporate systems and any third-party products or services not substantially under our control.

Restrictions

Parties researching potential vulnerabilities in Extreme products must refrain from:

  • Exploiting potential vulnerability for any reason, including accessing or modifying data that does not belong to you.
  • Any service disruption, such as a Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of our employees, contractors, customers, or partners
  • Any attacks against our physical property or data centers

We do not participate in bug bounty programs.

Reporting Process 

If you believe you have discovered a potential vulnerability, we encourage you to report it to us as soon as possible.  

We will endeavor to acknowledge receipt of your report [within 72 hours] and will work with you to understand the issue fully. PGP-encrypted communications are preferred. Alternatively, an Extreme Networks secure messaging service may be used.

Our Commitments

We will endeavor to keep you informed of the progress as we work to resolve the issue.

We will not take legal action against you if you follow this policy in good faith.

We will credit you for your discovery or keep your identity confidential if you prefer.

Coordination of Public Disclosure

We adhere to the coordinated vulnerability disclosure process. We request that researchers refrain from disclosing vulnerabilities publicly before giving us the opportunity to address the issue.  We typically ask for an embargo period before any disclosure. We will coordinate the disclosure timeline with the researcher depending on the case.

Contact 

If you have any questions about this policy, contact us at psirt@extremenetworks.com.  

Report a Vulnerability 

Please report a suspected security vulnerability to Extreme Network's PSIRT via email, please encrypt with our PGP public key. 

Please direct these emails to psirt@extremenetworks.com    

  • Organization and contact name:  
  • Email address and contact number:  
  • Products or solutions impacted: 
  • Product or solution versions impacted:
  • Description of the potential vulnerability:  

PGP key: 

-----BEGIN PGP PUBLIC KEY BLOCK----- 


mDMEZzuTBBYJKwYBBAHaRw8BAQdAFS77UwDTUyaF3A9ezG4sMD58DwLMG90Vy1h/ 
mATtYqe0MkV4dHJlbWUgTmV0d29ya3MgUFNJUlQgPHBzaXJ0QGV4dHJlbWVuZXR3 
b3Jrcy5jb20+iJkEExYKAEEWIQQ/elW/xSdneUhxoliPuYcFAkIY1QUCZzuTBAIb 
AwUJBaN6DAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRCPuYcFAkIY1VSy 
AQCKLfMl0tX/O02BGbhyiFyh1rYXyhuKB6eHK3VJ4YXN9wD/RATS7uJD6y9uyFnU 
kCeCPshnFokBwLkl5Nin6+bfTwu4OARnO5MEEgorBgEEAZdVAQUBAQdAUZli2dSD 
xpGxCIC62jSBisJcy8a4AuQ3z9hdSOwoLjEDAQgHiH4EGBYKACYWIQQ/elW/xSdn 
eUhxoliPuYcFAkIY1QUCZzuTBAIbDAUJBaN6DAAKCRCPuYcFAkIY1X7uAQC5vKHj 
2zajFZzd46AHNtz10X0HZQZR7YuqfiEufXiFwgD/c+YrHN0CGiUuzQKlg5+vTVYu 
bXWr7WpQjQOo1UCWHgw==18dO 


-----END PGP PUBLIC KEY BLOCK-----