Mitel Product Security Policy

As part of Mitel’s ongoing commitment to customers and product excellence, Mitel maintains a dedicated product security incident response program to handle the discovery of potential vulnerabilities and security flaws in products.

The Mitel Product Security Vulnerability Policy provides further information on the vulnerability management process for Mitel products.

 

Mitel Security Advisories

Public notices regarding product security vulnerabilities are published at Security Advisories.

Assessing Security Risk — Common Vulnerability Scoring System

Mitel uses the industry-recognized Common Vulnerability Scoring System (CVSS) as part of its process to evaluate the risk introduced by potential vulnerabilities in Mitel products.

The use of CVSS version 3.1 is intended as a general guideline; it is recommended that Mitel customers should evaluate the risk themselves, with consideration given to their specific use of the product and environment.

Response to vulnerabilities is prioritized based on the level of risk associated with the security vulnerability when exposure is confirmed in Mitel products. The following table summarizes CVSS v3.1 severity ratings, which informs Mitel internal response guidelines.

CVSS v3.1 Severity Ratings

Severity Base Score Range
Critical 9.0-10.0
High 7.0-8.9
Medium 4.0-6.9
Low 0.1-3.9
None 0.0

 

Resolution of Confirmed Security Vulnerabilities

The Mitel Product Security Incident Response Team (PSIRT) will investigate and disclose vulnerabilities for actively supported products. Once a security vulnerability has been confirmed, Mitel will provide solutions commensurate of the risk identified.

Lower risk vulnerabilities will be corrected as part of the standard product release cycle. For additional information, contact Support.

 

Disclosure Policy

Mitel's first and foremost concern is our customers. To this end, Mitel will not publicly publish any details that could potentially be used to comprise products until mitigation is available to reduce or eliminate risk. Critical information will be circulated directly to channel partners and distributors or customers in a timely manner as required, commensurate of the risk.

Mitel respects the security considerations of all customers and will not provide advanced details outside of established channels.

 

Product Security Publications

Product security vulnerabilities are communicated as required, published to the Mitel Security Advisories page.

Customers and Channel partners are encouraged to sign up for proactive notification of new security advisory publications available on the Security Advisories page.

 

Reporting a Vulnerability

The Mitel Product Security Incident Response Team provides direct support for potential vulnerabilities identified in Mitel products. Mitel will work with customers and recognized security organizations to resolve detected security vulnerabilities.

Reporting Process for Mitel Authorized Partners

Mitel Authorized Partners are advised to raise an incident regarding security-related inquiries directly with their regional Mitel product support group according to existing processes. Current software assurance and valid product certifications will be required.

Reporting Process for Mitel Customers

Mitel customers are advised to contact their maintainer / Authorized Partner with any product security-related inquiries. The Authorized Partner will ensure sufficient details are collected prior to raising the issue with the relevant Mitel product support groups.

Reporting Process for Non-Mitel Customers

Non-Mitel Customers can submit reports of potential vulnerabilities in Mitel products via email [email protected].

The use of PGP to encrypt sensitive information sent via email is recommended and may be required for continued communications. Click here to obtain the PSIRT PGP key.

In the event additional information / investigation should be required, the PSIRT will respond directly to the reporter. Please note that the [email protected] email address is not for general inquiries or support requests.

For additional information on Mitel products and services, please visit Mitel.com.

 

Disclaimer

Information made available under this program is provided on an "as is" basis and does not grant or imply any guarantees or warranties, including the warranties of merchantability or fitness for a particular use. Mitel does not guarantee that any of the information is accurate or up to date. By using the information, you acknowledge and agree that your use of the information, or the documents or materials linked to this information, is at your own risk. In addition, Mitel’s provision of this information shall not and does not affect the terms or conditions of any agreement with Mitel. Mitel reserves the right to change or update this information without notice at any time. Contact Mitel for further guidance.

Ready to talk to sales? Contact us.