Lenovo is committed to delivering safe and secure products and services. We work diligently to resolve security vulnerabilities when they are discovered.

This document describes Lenovo’s policy for informing users of potential security vulnerabilities in supported products and services.
 

Reporting a Vulnerability

Refer to Reporting a Product Security Vulnerability to notify us of a Lenovo product security vulnerability.

Coordinated Vulnerability Disclosure

Lenovo participates in Coordinated Vulnerability Disclosure and strongly encourages our suppliers and researchers to do the same.  This means Lenovo publicly discloses a vulnerability once mitigations are available.  Coordinated Vulnerability Disclosure protects users from cybercriminals because mitigations are available at the time of public disclosure.  Refer to CERT® Guide to Coordinated Vulnerability Disclosure for more information.  Lenovo does not disclose security vulnerabilities before they become public or embargos are lifted.

Safe Harbor

Lenovo authorizes individuals to perform security testing for non-commercial purposes, provided such testing is conducted in good faith to enhance the security of Lenovo’s products through testing, investigation, and/or correction of a security flaw or vulnerability.  Lenovo will not pursue legal actions as a result of such testing provided a good faith effort is made to follow the Coordinated Vulnerability Disclosure process and testing complies with all applicable laws.  Lenovo does not authorize testing that degrades access to or damages our applications, systems, or infrastructure, or is conducted in bad faith or with malicious intent.  This authorization does not apply to security testing conducted on third-party Internet-based applications, systems, or infrastructure.

Security Advisories

Security advisories are the primary method for communicating information about vulnerabilities related to our products and services and can be found on our Security Advisories web page. We will issue an advisory when we have identified a practical workaround, mitigation, or fix for the particular security vulnerability, if appropriate.  There may be instances when we issue an advisory in the absence of a fix when the vulnerability has become widely known to the security community.

In cases where a third party notifies Lenovo of a potential vulnerability in our products, we will investigate the finding and may publish a coordinated disclosure along with the third party.  Lenovo may receive information about a security vulnerability from a supplier under a confidential or non-disclosure agreement or under embargo.   Lenovo will work with the supplier to request that a security fix is released in these cases, although we may not be able to provide details about the security vulnerability. 

Lenovo does not publish security advisories for open source vulnerabilities but may do so if appropriate.  Open source fixes may be identified in release notes by their assigned CVEs.

Our security advisories include the following elements:

Severity
Lenovo follows standard industry best practices to designate the vulnerability’s potential impact as Critical, High, Medium or Low In scoring or rating vulnerabilities. 

This approach follows the Common Vulnerability Scoring System (CVSS3.1), which provides an open framework for communicating the characteristics and impacts of vulnerabilities. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors, and researchers to all benefit by adopting a common language of scoring vulnerabilities.

Product Impact
Security advisories include a list of known affected Lenovo products. Lenovo recommends that customers visit the security advisory site to stay current with the advisory status.

Acknowledgement
We acknowledge the researcher or finder of the vulnerability, with their permission.

References
The advisory will provide links to references if additional information on the vulnerability is available. This includes links to the CVE or blog or article citations.

Revision History
The revision history will show what was updated and when as we update an advisory.

Release Notes (readme or change history)
Information included in product Release Notes related to security updates will reference either the CVE or the internal LEN tracking number. Both are included in our published security advisories as applicable. The remediation may be released ahead of the security advisory when Lenovo believes it is in the customer’s best interest to update as soon as possible.  Information about the vulnerability can be found by referencing the LEN tracking number from the release notes once the advisory has been published.  Information included in Release Notes related to open source vulnerability remediation will include published CVEs.

We make the best effort possible to resolve vulnerabilities in supported products as quickly as possible. However, no guaranteed level of response applies for any specific issue or class of issues due to factors such as fix complexity, quality testing, embargoes, and cross-vendor coordination.