Vulnerability Disclosure Policy
Xerox is committed to Security
As a leader in the development of digital imaging technology, we are committed to keeping information secure by proactively identifying potential vulnerabilities in Xerox® Products® or software solutions which are considered our Offerings.
Our commitment to security begins early in development with secure coding techniques, extensive testing, and analysis to eliminate vulnerabilities. Xerox also engages in certification practices such as Common Criteria and additionally seeks compliance to the latest emerging standards like the new Hardcopy Device Protection Profile.
There are cases where new vulnerabilities occur after Offerings are in the field. It is Xerox policy to largely mitigate these vulnerabilities in as timely a manner as possible and practice responsible disclosure to our customers. Factors such as complexity of the system and severity of the vulnerability may cause this response time to vary.
In addition, Xerox actively collaborates with customers, security experts and researchers who may submit potential security vulnerabilities they have discovered. Xerox values the relationships with those in the security community and take all reports submitted to us seriously. We are appreciative of these ongoing collaborative practices within the security community as it complements our own rigorous security practices.
For more information on how Xerox strives for a higher security standard please see our Vulnerability Management and Disclosure Policy whitepaper.
Working with the Security Research Community
We encourage all within the security research community to report potential vulnerabilities they identify. The processes involved in vulnerability validation and any subsequent mitigation can be lengthy as many in the security research community understand. In some instances a vulnerability may be particularly complex, or mitigation may have to be implemented across multiple products or baselines. We therefore require a minimum of 90 days to provide a fix, though we will always strive for the fastest resolution time possible. This is done to protect our customers since public disclosure of unresolved vulnerabilities can have harmful unintentional outcomes for our customers.
When a researcher informs us of a potential issue, they trust us to take action to validate and/or mitigate and we trust they will be patient and ethical in their actions. This is so CVE (Common Vulnerability and Exposures) disclosure can be coordinated while ensuring specific technical means and methods are not disclosed which may result in customers being less secure. As part of this trust relationship, we ask that in the process of vulnerability disclosure researcher actions do not:
- Cause harm to Xerox customers, Xerox Corporation, its partners or suppliers, or any other individuals or organizations
- Compromise the safety or security of our Products or Software Solutions
- Infringe any applicable intellectual property rights or trade secrets
- Violate any applicable data privacy laws and regulations
Note: Xerox does not have a Bug Bounty program, but we do work globally with security researchers and those in the security community. If your findings are newly reported, validated by Xerox and we publish a security bulletin as a result, it is our practice to give documented credit within the published security bulletin.
How to report a potential vulnerability
Note: If you are a Xerox customer, partner, or supplier you should contact your Xerox point of contact directly rather than use this process.
If you believe that you have identified a security vulnerability in a Xerox product software/firmware, please access our form here and provide as much of the following information as possible:
- The Product model(s), Software Solution or Digital Front End versions and software versions affected
- A detailed description of the vulnerability
- Scan report details (can be submitted after a member of the Product Security Incident Response Team (PSIRT) contacts you) and scan tool used (if applicable)
- Instructions on how to reproduce the vulnerability/exploit information
We encourage use of encryption to submit your vulnerability report. A method of encryption can be provided once the initial submission is received.
Vulnerabilities/issues not related specifically to Xerox® Offerings® will be forwarded to the appropriate area and addressed outside of this process
How Xerox responds to vulnerability reports
- After we receive your vulnerability report we will confirm receipt by e-mail from the automated system immediately and then within two business days, from someone on our Product Security Information Response Team (PSIRT).
- The PSIRT will work with you and our product development teams to validate the vulnerability and determine its root cause. Evaluation of possible impacts to customer networks, job data and other products that may be affected are also performed. Within that process we evaluate if:
- An exploit exists
- The exploit has been implemented external to Xerox
- The exploit has been made known to Xerox
- The exploit has been made known publicly
- Evaluation of the vulnerability exploitability factor is conducted to determine the criticality of any mitigation that may be provided. The severity rating is based on the following factors:
|Critical||A vulnerability whose exploitation could allow an attacker to take over the system and execute arbitrary code.|
|Important||A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user’s data, or of the integrity or availability of processing resources.|
|Moderate||Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.|
|Low||A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.|
- The fix is then made available to customers via a patch, software release or possible workaround most often announced in a Security Bulletin. This could include instructions provided for security related changes or vulnerabilities in third party software which may directly/indirectly impact a Xerox® Offering ®. The Security Bulletin may include the following information:
- The Product/Software solution and vulnerable versions.
- CVE IDs or brief description of the vulnerability and applicable exploit details
- Remediation details such as links to software mitigation or other required actions
- When applicable credit will be given to the reporter of the vulnerability along with acknowledgement of their responsible disclosure in working with Xerox.
Please see the Patch Criticality Rating whitepaper for more information
Xerox is dedicated to addressing security vulnerabilities which may affect our Offerings and customers by providing timely mitigation in the form of patches or firmware updates, guidance, or other appropriate actions that customers can take. Since the complexity of a vulnerability can vary, the timeframe for delivery of a solution for a vulnerability can differ as well. We practice responsible disclosure and may delay announcement when a vulnerability has not been fully evaluated, validated and for which no mitigation is available to maintain the security of our customers.
When publicly known vulnerabilities come to light, we evaluate if Xerox® Offerings® are impacted and take appropriate actions based on the severity of the vulnerability, to determine if any Xerox® Offerings® are impacted. We then inform our customers using appropriate communications.
Product Security NEWS section
Xerox may periodically publish a News headline article on our Product Security page to respond quickly and appropriately to public disclosures where the vulnerability may have received significant public attention and/or we are actively assessing impact to Xerox® Offerings®. In such an event, Xerox may accelerate communication which may/may not include mitigation or workarounds. These communications can also be as a result of third-party software that may announce security improvements (or other changes) that may affect the functionality of our Offerings which customers should be aware of.
Security Bulletin notification
Customers can sign up for RSS feeds to automatically be notified of published security bulletins or access their specific product security bulletins from our Product Security page by selecting the specific product model.
All Security Bulletins can also be found here.
Customer Rights: Warranties, Support, and Maintenance
Xerox customers’ rights with respect to warranties, support and maintenance, including vulnerabilities, in any Xerox® Offering® are governed by the applicable agreement between Xerox and the customer.
Any information provided to Xerox regarding vulnerabilities in Xerox® Offerings® including all information in a product vulnerability report shall become the sole property of Xerox, and Xerox may freely use such information for any business purpose.
All aspects of the Xerox Vulnerability Disclosure process and policies are subject to change without notice. Your use of the information on this web page or materials linked from this web page is at your own risk.