The Inspur Product Security Incident Response Team (PSIRT) is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to Inspur products.

Inspur PSIRT is a focal point for security researchers, industry groups, government organizations, and vendors to report potential Inspur product security vulnerabilities. This team will coordinate with Inspur product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.

Security vulnerability refers to the defect or weakness that may be exploited to breach the system security mechanism in the system design, deployment, operation or management.

The security vulnerability escalator must submit a potential security vulnerability related to Inspur via email. Please use our PGP public key (key ID 0x80C3904A) to encrypt and send an email to sec@inspur.com, with the name of the vulnerability (such as: XX product XX vulnerability) in the subject of the email. The content of the email should be as detailed as possible, including:

• The name and contact information of the escalator or organization

• The products and versions affected

• The way to discover potential vulnerabilities–including process, step, screenshot, and/or reproduction method

• Information about known exploits

• Recommendation for a possible fix for a potential vulnerability

A member of the Inspur PSIRT will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Inspur works to resolve security issues, see: Vulnerability handling guidelines

We only accept vulnerabilities in the following products:

1) Server

2) Server management software

3) AI Management Suite

4) Storage

5) InCloudOS

6) BigData product - Insight

7) Security products

Security vulnerabilities in Inspur products are actively managed through a well-defined process. The process consists of 5 key steps:

Reception:The process begins when the Inspur PSIRT becomes aware of a potential security vulnerability in an Inspur product. Inspur PSIRT notifies the appropriate Inspur product teams of the potential vulnerability for analysis.

Analyzation:Inspur PSIRT attempts to reproduce the issue to verify whether it is a vulnerability.After the initial analysis, the vulnerability undergoes further investigation by  Inspur PSIRT to determine the underlying cause and possible methods of exploitation. The appropriate  product team completes the remediation plan for the vulnerability, taking into consideration the affected versions.

Solution:The product team develops a solution that mitigates the reported security vulnerability . Solutions will take different forms based on the vulnerability. Such as product upgrades or patches .In cases where a vulnerability is being actively exploited, Inspur may deliver a temporary solution to contain the issue while working on the full solution.

Communication:Once the remediation is available, Inspur intends to notify the affected customers about the vulnerability using either targeted communications or issue a public Security Bulletin. Inspur PSIRT discloses security vulnerabilities in two forms:

Security Advisory (SA): Provide information about security vulnerabilities identified with Inspur products, including any fixes, workarounds or other actions.

Security Notice (SN): Provide information of general interest about security topics related to Inspur products or the use of Inspur products.

Feedback:The last stage in Inspur PSIRT process allows for Inspur PSIRT to share findings with our Engineering team(s) to help minimize similar vulnerabilities in future Inspur offerings

Throughout the vulnerability handling process, our PSIRT strictly ensures that vulnerability information is transferred only between relevant handlers. We sincerely request you to keep the information confidential until a complete solution is available to our customers.

In order to express our sincere gratitude to vulnerability reporters, INSPUR PSIRT has established a vulnerability discovery reward plan to reward vulnerability reporters. Welcome Security researchers around the world to report security vulnerabilities.

The sec@inspur.com e-mail address should only be used for reporting security issues.

If you...

 》Have questions about the security features of an Inspur product

 》Require technical support

 》Want product updates or patches

Please visit Inspur Support Center.