Skip to main content

INCIDENT RESPONSE​

Carrier Product Security Incident Response

The Carrier Product Security Incident Response Team (PSIRT) focuses on the identification, assessment, and disposition of the risks associated with security vulnerabilities within Carrier products, offerings, solutions, components and/or services. ​ ​ 

Carrier PSIRT is a dedicated team of first responders responsible to deliver advanced support designed to contain and minimize the spread and impact of a product security event, incident, breach, and/or crises. ​ ​ 

Carrier encourages reporters, including security researchers, end-users, and vendors, to contact us with any information relating to potential security flaws or vulnerabilities within any of our offerings.

Confidence from Discovery to Disclosure​

If you believe you have discovered a security issue within any Carrier offering, please send an email to [email protected] with the following information to help us better understand the nature and scope of your finding:​

  • Product Name​
  • Software / Firmware / Hardware Version​
  • Description of Issue / Concern​
  • Reproduction Steps​
  • Contact Information
Receipt of issue/concern notification will be provided within 48 hours. 
 
We encourage you to encrypt your email using our public PGP key to enable secure communications.

Vulnerability Disclosure Policy​

The Carrier Product Security Incident Response Team (PSIRT) employs a coordinated approach to vulnerability disclosure and publication. PSIRT determines the best path when issuing security advisories for our supported Carrier products and our affiliates. Whenever possible, published security advisories will be made publicly available on our Product Security website.​ ​ 

Reporters, Researchers, and Vendors are encouraged to engage Carrier and act responsibly and transparently, in alignment with our goal to respond effectively while protecting our customers. No external disclosure, discussions, or confirmation of issues will be released until after the PSIRT investigation is complete.​ Summary of steps taken:

  • Acknowledgement of Report​
  • Investigation of Findings​
  • Validation of Unique Vulnerability​
  • Planned Remediation of Mitigations​
  • Security Advisory Communication Plan​
  • Disclosure of Vulnerability Publication

Disclaimer: Every alleged vulnerability presented to Carrier is handled on a case-by-case basis. All elements of this policy are subject to change under Carrier’s sole discretion. Carrier strives to be consistent with industry best practices during the execution of this policy.