- Industry Left Col
- Industry Right Col
HCL Software PSIRT
The HCL Software Product Security Incident Response Team (PSIRT) is a global team that manages the investigation and coordination of security vulnerability information related to HCL Software offerings. This team will coordinate with HCL Software product development teams to investigate and identify the appropriate response plan. HCL Software is committed to the safety and security of all our products and services.
This team will coordinate with product and solutions teams to investigate, and if needed, identify the appropriate response plan. Customers of HCL Software offerings should report all product related issues, including potential security vulnerabilities, to HCL Software Support.
HCL Software is committed to the safety and security of all our products and services. This page describes our process and policy for the handling of security vulnerabilities in our products and services.
Report a Security Vulnerability
HCL Software defines a security vulnerability as a weakness or flaw in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of the product or service.
If you are a U.S. Federal Government Customer, please call the Federal toll-free number 1-855-855-5016; Federal toll number: 1-984-333-9914 for assistance. All other customers, please use the Security Case form on the HCL Support Portal to submit your report.If you are a security researcher, please submit your report via email to PSIRT@hcl.com. See the HCL Software Vulnerability Disclosure Policy for more information.
Please include details of the software product and version, hardware platform, reproduction steps, potential impact and a proof of concept (if possible). This will enable us to duplicate the issue and respond to your report in a timely manner.
Analysis and Remediation
Acknowledgement and Analysis of a Vulnerability Report
HCL Software Support will acknowledge the receipt of the report within 2 business days. A tracking number will be provided in the acknowledgment email. Please include this tracking number in the subject of all further email communications relating to the submission.
For all validated security vulnerabilities affecting HCL Software products and services that are in active support, HCL Software will provide a fix or workaround. A Security Bulletin describing the fix or workaround will be posted in the Knowledge Base on the HCL Customer Support portal.
HCL Software uses version 3.0 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in HCL Software products. The CVSS model uses three distinct measurements or scores that include Base, Temporal, and Environmental calculations.
HCL Software will provide an evaluation of the base vulnerability score, and in some instances, will provide a temporal vulnerability score. End users are encouraged to compute the environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments.
Advisories or Bulletins of Product Security Information and Software Updates
Information relating to addressed vulnerabilities are published in Security Advisories or Security Bulletins, which are available from the Knowledge Base on the HCL Customer Support portal.” To find a particular Security Bulletin in the HCL Support Knowledge Base, type “Security Bulletin” in the Search bar and use the filters on the left side of the screen.
Security advisories are published under the following situations:
- A security issue that is specific to our software or that affects open-source software that can reasonably be assumed to affect our software is publicly reported and widely available; AND a fix is available in one or more supported software versions.
- A security issue that affects our software is privately reported to HCL Software; and a fix is available in currently supported software versions.
Security advisories will include the following information, where applicable:
- Affected products and versions
- Description of vulnerability
- Potential impact rating
- Common Vulnerability Enumerator ID (CVE: http://cve.mitre.org )
- Severity rating (HCL uses version 3 of the Common Vulnerability Scoring System, CVSSv3; https://www.first.org/cvss/user-guide)
- Available updates, fixes or workarounds
- Acknowledgement of the reporter (if applicable)