Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Dell Vulnerability Response Policy

Introduction

Dell strives to help our customers minimize risk associated with security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance, and mitigation options to address vulnerabilities. The Dell Product Security Incident Response Team (Dell PSIRT) is responsible for coordinating the response to, and disclosure of, product vulnerabilities impacting Dell products and recommends that all customers move to supported versions of Dell products before the end of support dates to continue receiving security updates.

Dell actively participates in various community efforts including the Forum of Incident Response and Response Teams (FIRST) and the Software Assurance Forum for Excellence in Code (SAFECode). Our processes and procedures align with the FIRST PSIRT Services Framework, as well as other standards including ISO/IEC 29147:2018 and ISO/IEC 30111:2019.


Handling Vulnerability Reports

Dell values our industry partners and security researchers, appreciates all contributions to our security initiatives, and encourages responsible and coordinated disclosure as the security of our customers is of paramount concern. Our goal is to ensure remedies and/or mitigating strategies are available at the time of disclosure of Dell-specific vulnerabilities, and to work with third-party vendors when remediation requires their collaboration.

As per this policy, all information disclosed about new vulnerabilities is considered confidential and shall only be shared between Dell and the reporting party if the information is not already public knowledge until a remedy is available and disclosure activities are coordinated.


Vulnerability Remediation

After investigating and validating a reported vulnerability, we strive to develop and qualify an appropriate remedy for products under active support from Dell. A remedy can take one or more of the following forms:

  • A new release of the affected product packaged by Dell;
  • A Dell-provided patch that can be installed on top of the affected product;
  • Instructions to download and install an update or patch from a third-party vendor that is required for mitigating the vulnerability;
  • A corrective procedure or workaround published by Dell that instructs users on measures that can be taken to mitigate the vulnerability.

Dell makes every effort to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines depend on many factors, such as:

  • Severity of the vulnerability;
  • Complexity of the vulnerability;
  • Scope of affectedness;
  • Effort/impact to remediate;
  • Product Life Cycle.

How Dell Rates the Severity and Impact of Vulnerabilities

Dell uses the Common Vulnerability Scoring System standard, version 3.1 (CVSS v3.1) to communicate the characteristics of vulnerabilities in Dell products. The standard is maintained by FIRST.

CVSS scoring provides a numerical means to quantify the severity of the vulnerability, and considers several factors, including the level of effort required to exploit a vulnerability as well as the potential impact should the vulnerability be exploited. Dell will summarize the assessed impact of a vulnerability by way of a numeric score, vector string and qualitative representation of the severity (i.e., one of Critical, High, Medium, Low), as per the scale provided below:

Severity

CVSS v3.1 Score

Critical

9.0 – 10

High

7.0 – 8.9

Medium

4.0 – 6.9

Low

0.1 – 3.9

Dell recommends that all customers use this information to support the calculation of environmental metrics that might be relevant to their environment, to accurately assess the risk specific to their assets or implementation of Dell products.

Please note that it is not uncommon for Dell’s evaluation of a vulnerability, CVSS score and/or Vector String to differ from those provided by other sources. In the event of a discrepancy, Dell will use the information contained in the Dell Security Advisories as the authoritative source of information.


External Communications

Dell publishes security advisories, notices, and information articles to communicate with customers about security vulnerabilities that affect our products.

Security advisories are released to provide guidance or instructions on how customers can protect themselves, mitigate, and/or remediate vulnerabilities once Dell has analyzed and identified solutions.

Security Advisories are intended to provide sufficient detail to assess the impact of vulnerabilities and to remedy potentially affected products. However, full details may be limited to reduce the likelihood that malicious actors can take advantage of the information provided and exploit it to the detriment of our customers.

Dell Security Advisories will typically include the following information, as applicable:

  • The overall impact, which is a textual representation of the severity (that is critical, high, medium, and low) calculated using the CVSS Severity Qualitative Severity Rating Scale for the highest CVSS Base Score of all identified vulnerabilities;
  • Products and versions affected;
  • The CVSS Base Score and Vector for all identified vulnerabilities;
  • Common Vulnerabilities and Exposures (CVE) identifier for all identified vulnerabilities so that the information for each unique vulnerability can be shared across various vulnerability management capabilities (for example, tools like vulnerability scanners, repositories, and services);
  • Brief description of the vulnerability and the potential impact if exploited;
  • Remediation details with update/workaround information;
  • Vulnerability category information:
    • Proprietary Code – Dell-developed hardware, software, or firmware.
    • Third-Party Component – hardware, software, or firmware that is either freely distributed by packaged, or otherwise incorporated into a Dell product;
  • Additional references as applicable.

On a case-by-case basis, Dell may publish a Security Notice to acknowledge a publicly known security vulnerability and provide a statement or other guidance regarding when (or where) additional information will be available.

Dell may publish security related Informational Articles to share information about security-related topics such as:

  • New security hardening features introduced;
  • Product specific security configuration guides and best practices;
  • Security vulnerabilities in third-party components, identified by vulnerability scanning tools but which are not exploitable from within the specified product;
  • Installation instructions for applying specific security updates;
  • Information regarding the effect of security updates in non-Dell product co-requisites and pre-requisites which could have an impact on Dell products.

Dell Security Advisories and Notices are available at www.dell.com/support/security. Informational articles are available at this link when authenticated.


How to Report a Security Vulnerability

If you identify a security vulnerability in any Dell product, we ask you to report it as soon as possible. Timely identification and reporting of security vulnerabilities is critical to mitigating potential risks to our customers. Security researchers should submit product vulnerability reports via the Dell Bugcrowd site.  Enterprise and commercial product customers and partners should contact their respective Technical Support team to report any security issues discovered in Dell products. The Technical Support team, appropriate product team, and the Dell PSIRT will work together to address the reported issue and provide customers with next steps.

Industry groups, vendors, and other users that do not have access to Technical Support and/or do not want to go through the bug bounty program can send vulnerability reports directly to the Dell PSIRT via email. Email messages and attachments should be encrypted when transmitting sensitive information by using PGP and a Dell PSIRT PGP key, which is available for download here.

In all cases, Dell will strive to acknowledge your vulnerability disclosure report within three (3) business days of receipt and provide updates on remediation with a frequency of thirty (30) calendar days or less.

When reporting a potential vulnerability, we ask that you include as much of the below information as possible to help us better understand the nature and scope of the reported issue:

  • Product name and version containing the suspected weakness / vulnerability;
  • Environment or system information under which the issue was reproduced (for example: product model number, operating system version, and other related information);
  • Common Weakness Enumeration (CWE) and Type and/or class of vulnerability (e.g., Cross-site Scripting, buffer overflow, denial of service, remote code execution);
  • Step-by-step instructions to reproduce the vulnerability;
  • Proof-of-concept or exploit code;
  • Potential impact of the vulnerability.

Researcher Conduct Guidelines

If a vulnerability provides you with access to confidential or non-public information (including third party data, personal data or any information marked by Dell as Internal Use, Restricted, or Highly Restricted), you should only access such information as minimally necessary to report the vulnerability to Dell. Apart from your submission to Dell, you should not  store, transfer, use, retain, disclose, or copy any such information.

You also should not engage in any actions which affect the integrity or availability of Dell systems unless you have the explicit permission of the owner. Only do the minimum necessary to obtain a proof of concept. If you notice performance degradation during your research or inadvertently cause a violation or disruption (such as accessing customer data or service configurations), please stop any use of automated tools and report the incident immediately. If, at any time, you have concerns or are uncertain whether your security research is consistent with this policy, please inquire with secure@dell.com before going further.


Notifying Dell of other Security Issues

Use the appropriate contacts listed below to report other types of security issues to Dell:

Security Issue

Contact Information

To report a security vulnerability or issue in Dell.com or other online service, web application or property.

Submit a report at https://bugcrowd.com/dell-com with step-by-step instructions to reproduce the issue.

If you suspect identity theft or have experienced a fraudulent transaction related to Dell Financial Services.

See Dell Financial Services Security.

To submit privacy related requests or questions.

See Dell Privacy.


Limitations

Dell strives to be as transparent as possible by providing information about vulnerability remediation efforts in our Security Advisory and related documentation, which may include  release notes, knowledgebase articles, and FAQs (Frequently Asked Questions).  Dell does not share verified exploits or proof of concept code for identified vulnerabilities. Additionally, in accordance with industry practices, Dell does not share test results or proof of concepts from internal security testing, or other types of privileged information, with external entities.


Customer Entitlements: Warranties, Support, and Maintenance

Dell customers’ entitlements regarding warranties, support, and maintenance—including vulnerabilities in any Dell software product—are governed solely by the applicable agreement between Dell and the individual customer. The statements on this web page do not modify, enlarge, or otherwise amend any customer rights or create any additional warranties.


Disclaimer

All aspects of this Vulnerability Response Policy are subject to change without notice. Response is not guaranteed for any specific issue or class of issues. Your use of the information in this document or materials linked herein is at your own risk.