Mitel Product Security Policy
As part of Mitel’s ongoing commitment to customers and product excellence, Mitel maintains a dedicated product security incident response program to handle the discovery of potential vulnerabilities and security flaws in products.
Mitel Security Advisories
Public notices regarding moderate and high-risk product security vulnerabilities are published at www.mitel.com/security-advisories.
Assessing Security Risk — Common Vulnerability Scoring System
Mitel uses the industry-recognized Common Vulnerability Scoring System (CVSS) as part of its process to evaluate the risk introduced by potential vulnerabilities in Mitel products.
The use of CVSS version 2.0* is intended as a general guideline; it is recommended that Mitel customers should evaluate the risk themselves, with consideration given to their specific use of the product and environment.
Response to vulnerabilities is prioritized based on the level of risk associated with the security vulnerability when exposure is confirmed in Mitel products. The following table identifies Mitel internal response guidelines as mapped to CVSS 2.0 scoring:
CVSS v2 Score Range
8.0 to 10.0
6.0 to 7.9
*The use of CVSS version 3.0 scoring is being evaluated and will be introduced at a later date.
Resolution of Confirmed Security Vulnerabilities
The Mitel Product Security Incident Response Team (PSIRT) will investigate and disclose vulnerabilities for actively supported products. Once a security vulnerability has been confirmed, Mitel will provide solutions commensurate of the risk identified.
Low Risk Vulnerabilities will be corrected as part of the standard product release cycle. For additional information, contact Customer Support.
Mitel’s first and foremost concern is our customers. To this end, Mitel will not publicly publish any details that could potentially be used to comprise products until mitigation is available to reduce or eliminate risk. Critical information will be circulated directly to channel partners and distributors or customers in a timely manner as required, commensurate of the risk.
Mitel respects the security considerations of all customers and will not provide advanced details outside of established channels.
Product Security Publications
Product security vulnerabilities are communicated via a monthly cadence published to www.mitel.com/security-advisories. Monthly updates are posted within four business days following the end of the reporting period.
Advisories and bulletins will be published outside of the monthly schedule for high-risk and high-profile security vulnerabilities.
Reporting a Vulnerability
The Mitel Product Security Incident Response Team provides direct support for potential vulnerabilities identified in Mitel products. Mitel will work with customers and recognized security organizations to resolve detected security vulnerabilities.
Reporting Process for Mitel Authorized Partners
Mitel Authorized Partners are advised to raise an incident regarding security-related inquiries directly with their regional Mitel product support group according to existing processes. Current software assurance and valid product certifications will be required.
Reporting Process for Mitel Customers
Mitel customers are advised to contact their maintainer / Authorized Partner with any product security-related inquiries. The Authorized Partner will ensure sufficient details are collected prior to raising the issue with the relevant Mitel product support groups.
Reporting Process for Non-Mitel Customers
Non-Mitel Customers can submit reports of potential vulnerabilities in Mitel products via email to firstname.lastname@example.org.
The use of PGP to encrypt sensitive information sent via email is recommended and may be required for continued communications. Click here to obtain the PSIRT PGP key.
In the event additional information / investigation should be required, the PSIRT will respond directly to the reporter. Please note that the email@example.com email address is not for general inquiries or support requests.
For additional information on Mitel products and services, please visit www.mitel.com.
Information made available under this program is provided on an "as is" basis and does not grant or imply any guarantees or warranties, including the warranties of merchantability or fitness for a particular use. Mitel does not guarantee that any of the information is accurate or up to date. By using the information, you acknowledge and agree that your use of the information, or the documents or materials linked to this information, is at your own risk. In addition, Mitel’s provision of this information shall not and does not affect the terms or conditions of any agreement with Mitel. Mitel reserves the right to change or update this information without notice at any time. Contact Mitel for further guidance.