Vulnerability Information
Handling Policy

Properly handle vulnerability information discovered internally and externally, properly address vulnerabilities, and mitigate risks to customers

• Our global services and products
• Software created by third parties that we use in the above-mentioned products

1. Gather information

   We collect information from a wide range of internal and external sources and manage this information in a centralized manner.
   Specifically, our sources include external reports, such as from the Information Security Early Warning Partnership, reports from security researchers submitted to our Vulnerability Bounty Program, and internal avenues.

2. Assess impact

   The PSIRT and the departments concerned will assess the scope and severity of the impact of the information obtained.
   We use CVSS as one of our severity indicators. The severity and urgency of the vulnerability will be determined according to the nature of the information found.

3. Implement countermeasures

   Based on the results of the investigation, the relevant department will make a comprehensive decision on the nature and timing of the response.

If the conditions for release are met, information on the vulnerability response of the product will be published on JVN, a vulnerability countermeasure information portal site in Japan.
Information will be released in accordance with the date agreed upon with JPCERT/CC in accordance with the principle of coincidental release dates.

After the vulnerability information is made public, we will release the name of the person who reported it.
We will contact the reporter again after release.

• A note of appreciation to all those who have helped us improve the quality of our services