Security Bulletins

We strongly encourage organizations and individuals to contact Zhone‘s security team to report any potential security issue. To report a security or privacy vulnerability, please send an email to support@zhone. Be sure to include “PSIRT Case” as the prefix in the subject line of your email. In the body of the email, please include the following information:

• The product model and software version
• A detailed description of the security or privacy issue
• Any steps to reproduce or relevant observations

Your prompt and thorough reporting is essential to helping us maintain the security and privacy of our products.

Zhone will endeavor to respond to the report within 7 working days. Zhone will need to obtain detailed information about the reported vulnerability to more accurately and quickly begin the verification process.

Responsible Reporting Guidelines

1. All parties to a vulnerability disclosure should comply with the laws of their country or region.
2. Vulnerability reports should be based on the latest released firmware, and preferably written in English.
3. Report vulnerabilities through the dedicated communication channel. Zhone may receive reports from other channels but does not guarantee that the report will be acknowledged.
4. Adhere to data protection principles at all times and do not violate the privacy and data security of Zhone’s users, employees, agents, services or systems during the vulnerability discovery process.
5. Maintain communication and cooperation during the disclosure process and avoid disclosing information about the vulnerability prior to the negotiated disclosure date.
6. Zhone is not currently operating a vulnerability bounty program.

How Zhone Deals with Vulnerabilities

Zhone encourages customers, vendors, independent researchers, security organizations, etc. to proactively report any potential vulnerabilities to the security team. At the same time, Zhone will proactively obtain information about vulnerabilities in Zhone products from the community, vulnerability repositories and various security websites. In order to be aware of vulnerabilities as soon as they are discovered. Zhone will respond to vulnerability reports as soon as possible, usually within 7 business days.

Zhone Security will work with the product team to perform a preliminary analysis and validation of the report to determine the validity, severity, and impact of the vulnerability. We may contact you if we need more information about the reported vulnerability. Once the vulnerability has been identified, we will develop and implement a remediation plan to provide a solution for all affected customers. Remediation typically takes up to 90 days and in some cases may take longer. You can keep up to date with our progress and the completion of any remediation activities. Zhone will issue a security advisory when one or more of the following conditions are met:

1. The severity of the vulnerability is rated CRITICAL by the Zhone security team and Zhone has completed the vulnerability response process and sufficient mitigation solutions are available to assist customers in eliminating all security risks.
2. If the vulnerability has been actively exploited and is likely to increase the security risk to Zhone customers, or if the vulnerability is likely to increase public concern about the security of Zhone products, Zhone will expedite the release of a security bulletin about the vulnerability, which may or may not include a full firmware patch or emergency fix.

Information on Minimum Security Update Periods

Zhone components that are actively under support, and not in end of life (EOL) or obsolete (OBS) state, are actively maintained with regular security updates. For EOL or OBS items, security updates will be made available for a period of 1 year from the EOL/OBS dates.