Aruba Product Security Incident Response Policy

Scope

Aruba’s Security Incident Response Team (SIRT) is responsible for receiving, tracking, managing, and disclosing vulnerabilities in Aruba products.  The Aruba SIRT actively works with industry, non-profit, government organizations, and the security community when vulnerabilities are reported.  A security vulnerability is defined as any weakness in a product that allows an attacker to compromise the confidentiality, integrity, or availability of a product, customer infrastructure, or IT system through an Aruba product in that environment.

Aruba SIRT activities cover products manufactured or sold by Aruba, a Hewlett Packard Enterprise company, under the Aruba brand name, including Aruba’s SaaS solutions such as Aruba Central.  Only products and software releases which are currently supported and have not reached their end of support milestone date as listed at the Aruba End of Life page are covered. In addition to Aruba-branded products, the Aruba SIRT also covers currently-supported products manufactured by Aruba subsidiaries or acquisitions, as well as currently-supported switching products with the HP ProCurve brand name.

Aruba’s SIRT operates in accordance with ISO/IEC 29147:2018.


Reporting Suspicious Vulnerabilities to Aruba SIRT

The preferred method to reporting suspect product vulnerabilities to Aruba is by sending an email to
sirt@arubanetworks.com using our public PGP key (ID 0x458586D9), that can be found on public key servers and also at here.

Please make sure to send us a detailed description of the problem. The Aruba SIRT will acknowledge your email within 24 hours. After acknowledging the email, we request five business days to validate the reported finding and prepare a response or request more information, if needed. We appreciate if you could wait for our response prior to reporting the problem to others.

When reporting, please try to include the following:

  1. High-level description of the problem along with a technical contact we can get in touch with who can answer all related questions
  2. List of the Aruba hardware involved
  3. Aruba software versions involved
  4. A detailed description of the issue which ideally provides enough information to reproduce the problem
  5. Logs, crash dumps and other supporting information

Information shared with the Aruba SIRT is distributed to a select group of Aruba employees who are experienced in handling security related issues and is treated as extremely confidential.  Vulnerability information is disclosed internally on a need-to-know basis. Vulnerability handling at Aruba is performed in accordance with ISO/IEC 30111:2013.

If you are uncertain whether you are experiencing a vulnerability, or if you need emergency support, security configurations and non-vulnerability related security questions, your first contact should be to the Aruba Technical Assistance Center (TAC).

Emergency Support for Switching Products (including HP ProCurve)Emergency Support for All Other Aruba Products
+1 844 806-3425 (North America)+1 800 943-4526 or +1 408 754-1200 (North America)
Contact info outside of North AmericaContact info outside of North America
Submit a report online 

The Aruba SIRT is not responsible for any “non-product” HPE or Aruba IT system, network, or website. 

To report vulnerabilities in other non-Aruba HPE products please contact the HPE PSIRT.

For Aruba’s IT systems or non-product related incidents please email aruba-security@hpe.com.


Aruba’s Commitment to Product Security and Integrity

Aruba product development practices generally align with the OWASP OpenSAMM framework, and most Aruba products are designed to comply with relevant ISO/IEC 15408 (Common Criteria) protection profiles.

HPE and Aruba corporate policies prohibit intentional product features or capabilities that allow unauthorized device or network access, exposure of sensitive customer data, or bypass of security features. These include, but are not limited to:

  • Undisclosed unauthorized device access methods (i.e. "backdoors")
  • Intentional protocol or cryptographic weaknesses
  • Hardcoded or undocumented accounts and account credentials
  • Covert communication channels
  • Undocumented features that allow copy or diversion of network traffic

Aruba considers such product behaviors to be serious vulnerabilities and will treat them as such by correcting the vulnerability and issuing vulnerability disclosures.


Aruba’s Commitment to the Security Community

Aruba has consistently supported the work of the security community and security researchers, and values the work done by this community to improve the security of technology products.  Aruba is committed to working with the security community to discover, verify, and respond to vulnerabilities found in our products, and encourages the community to participate in a responsible disclosure process.

To encourage responsible reporting of security vulnerabilities, Aruba will not take legal action nor request law enforcement action against any individual or group conducting legitimate good-faith security research and reporting vulnerabilities in Aruba products or services, provided those individuals or groups comply with the following guidelines:

  • Provide all information necessary to reproduce the vulnerability.
  • Do not violate the privacy of Aruba customers, partners, or users.  If you come into possession of privacy-impacting information, securely report this information to Aruba and then destroy it.
  • Do not modify information that does not belong to you.
  • Give Aruba a reasonable amount of time to correct and disclose the vulnerability before making any information public.  The Aruba SIRT is willing to provide status updates regarding vulnerability reports upon request.
  • Do not violate any laws.

Specifically:

  • Aruba does not consider legitimate good-faith security research to be a violation of the Aruba End User Licensing Agreement even if that research involves reverse-engineering of Aruba technology.
  • Aruba will not bring a copyright infringement claim under the Digital Millennium Copyright Act against a legitimate good-faith security researcher even if that research involves circumventing security mechanisms in the Aruba products.
  • Aruba will not consider that access of an Aruba SIRT-covered product by a legitimate good-faith security researcher has been access without authorization or access that exceeds authorization under the Computer Fraud and Abuse Act, provided that researcher complies with this policy.

Aruba will provide public acknowledgement and credit to security researchers in published vulnerability advisories.  Some Aruba products are part of a bug bounty program, managed by Bugcrowd, and Aruba will pay rewards to those researchers who choose to participate in this program.  Payments will be made even if a researcher first reports the vulnerability directly to Aruba and then later reports it through the bug bounty program.

During the course of legitimate security research, Aruba products may be rendered inoperable (“bricked”), either intentionally or unintentionally.  Aruba will make a commercially reasonable effort to assist researchers in repairing such products on a one-time basis


Aruba Security Vulnerability Response Process

All reports sent to the Aruba SIRT concerning suspected or potential existence of a vulnerability related to Aruba products are reviewed and processed by Aruba’s SIRT members. This review is performed utilizing the written description of the suspected vulnerability and any other supporting data collected by the reporter. In some cases, it is necessary to request additional information from the reporting entity in order to begin the review.

The Aruba SIRT utilizes a thorough review and analysis process designed to provide the best qualification and categorization of reported vulnerabilities. We require detailed technical information and scenario-based descriptions from the reporter in order to ensure a successful evaluation can be completed. After the Aruba SIRT performs an initial evaluation, assignment of severity level is made. The SIRT will contact the reporter in order to update the status of the investigation and the severity level of the vulnerability should one exist. The Aruba SIRT will work with the reporter to determine the planned timeframes for resolution, as well as the customer and public communication plans.

The Aruba SIRT has overall responsibility for managing the process of development and distribution of workarounds and patch releases for the vulnerability. This oversight is required to ensure that during the notification process, the appropriate aspects of customer support are met. Once the workarounds and patch releases are ready for customer distribution, the Aruba SIRT will publish advisories on the SIRT web site for easy access by customers.

All information received by the Aruba SIRT is considered confidential, and as such is restricted to a limited group of Aruba subject matter experts with specific skills designed to provide the most comprehensive resolution action plan. In addition, the SIRT will ask the reporter to treat the information as confidential until such a time as Aruba can provide customers with resolution plans and options for mitigation, as well as a coordinated customer and public disclosure. Where the reporter wishes to receive public acknowledgement or “credit” for finding the vulnerability, Aruba will provide that in the published security advisory.


Disclosure Guidelines

Public disclosure of vulnerabilities will generally take place only after permanent fixes are available.  Where the vulnerability occurs in multiple branches of software, or in multiple software products, Aruba will publish advisories once the last branch or product is updated and released.  However, if Aruba learns that information about an unpublished vulnerability is being communicated externally, a vulnerability advisory will be published immediately along with details of any possible workaround or defense.  In the case of vulnerabilities in open-source software that are being publicly discussed, Aruba will immediately issue a security advisory once it has been determined that the vulnerability affects an Aruba product.

The initial vulnerability advisory will consist of general information about the vulnerability, workarounds, and steps to resolve the vulnerability. The public advisory is the only information that Aruba will provide to anyone for the first 60 days.  After 60 days Aruba may, at its sole discretion, make public full details about the vulnerability. Security researchers who wish to publicize Aruba vulnerability details (e.g. in a blog or at a conference) are asked to wait for the same 60-day period after an advisory has been published. As a courtesy, we request you inform Aruba that such presentation will be given.

Disclosure is not selective under any circumstances. It is Aruba’s policy to notify all customers of vulnerabilities at the same time. No Aruba customer, partner, or third-party is given advance notification or additional details of a vulnerability. Aruba’s OEM partners are generally notified three days in advance of public disclosure to allow their respective security response teams to prepare for notification of their own customers. Aruba’s OEM partners have agreed contractually to coordinate vulnerability notifications with Aruba so that all end users are alerted at the same time. Aruba’s customer-facing employees (TAC, SE, etc.) are provided a copy of the advisory approximately 18 hours before public disclosure, but are prohibited from sharing that information until it is officially released.  OEM partners and customer-facing employees are only given a copy of the public advisory; they are not provided with full details of a vulnerability.


Receiving Security Advisories

Security advisories are published on the Aruba Security Advisories web site. This site includes the latest advisories as well as an archive of previous advisories.

Aruba offers a notification email service for security advisories. To subscribe to this service, visit the self-service portal.  This free service is available to the public and is offered on a best-effort basis through a commercial mailing list provider. Aruba may offer other notification channels through premium support service offerings, but under no circumstances will Aruba offer an “advance notification” service.


About This Document

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Aruba reserves the right to change or update this document without notice at any time.