ph@cert.sei.cmu.edu (J Paul Holbrook) (08/16/90)
The following message describes Sun's new Customer Warning System for security problems. This message was sent to all employees at Sun and was sent to us by Sun's Beverly Ulbrich, who is Product Manager for Software Security. Ms. Ulbrich has given us permission to redistribute this information to anyone who might be interested. This message describes the methods customers should use to report security problems to Sun and a way to sign up to receive warnings from Sun about security problems. Please direct any questions you have about the specifics of Sun's mechanism to one of the Sun employees listed below. J. Paul Holbrook Computer Emergency Response Team Internet: <cert@CERT.SEI.CMU.EDU> (412) 268-7090 24 hour hotline: CERT personnel answer 7:30am-6pm EST, on call for emergencies other hours ---------------------------------------------------------------------- X-From: Beverly Ulbrich - Product Manager, Software Security Jack Collins - Director, Technical Support Services X-Subject: Announcing Sun Microsystem's Customer Warning System for Security Incident Handling In order to best serve our customers' service needs, Sun has established a Customer Warning System (CWS) for handling security incidents. This is a formal process which includes: - Having a well advertised point of contact in Sun for reporting security problems. - Pro-actively alerting customers of worms, viruses or other security holes that could affect their systems. - Distributing the patch (and/or work-around) to our customers as quickly as possible. More specifically, the CWS is being set up as follows: We have created an email address ( security-alert@sun ) which will enable both internal and external people to have a single place to report security problems. We have provided a voice-mail back-up ( (415)-336-7205 ) for the cases where sending email is not possible. *ALL* SECURITY HOLES SHOULD BE REPORTED TO THIS ALIAS. We have filled the position of "Security Coordinator" in our Customer Service Organization. The Security Coordinator is responsible for manning the email and voice mail hotlines and evaluating the security problems. We have a Customer Warning System "SWAT Team" in place to address severe security incidents. The CWS SWAT Team consists of knowledgeable senior people within Sun Corporate who are committed to being available to meet whenever required and who are empowered to make all necessary decisions. We plan on publicizing the CWS bi-monthly to the allsun alias. It will also be announced (and supported) by the various Computer Emergency Response Teams Sun works with. Please pass this information along to whoever you feel is appropriate. Sales Representatives should be certain to send this information to all their security-conscious customers! Customers and Sun Field Offices may send us a "Security Contact" from their organizations. This is the person Sun should contact in the case of any new security problems. He or she will be sent information on the problem at hand, including work-arounds and how and when to obtain fixes. Preferably, your Security Contact should be technical. He or she should be your site's System Administrator (or System Security Administrator). The information we need for the Security Contact from the three geographies for customers is as follows: ---------------------- U.S. Security Contact Information -------------------- Company Name: Security Contact's Name: Customer Number (from Cullinet): Address ID (from Cullinet)*: Postal address: Email address: Phone number: Fax number: Preferred method of contact (from above: 1st, 2nd and 3rd choice): * If there is not an existing Address ID, we need the full address for the security contact. ----------------- Europe and ICON Security Contact Information --------- Company Name: Security Contact's Name: Customer Number: Address Id: If there is no customer number or Address ID, then we need the following information for each customer: Postal Address: Email Address: Phone Number: Fax Number: Preferred method of contact (from above: 1st, 2nd and 3rd choice): --------------- Sun Field Office Security Contact Information --------------- Office Location: Security Contact's Name*: Email address: *One per office ---------------------------------------------------------------------------- ***** PLEASE SEND THIS INFORMATION TO: ***** security-alert@sun.com or, if you prefer postal mail: Brad Powell c/o Sun Microsystems MTV18-04 2550 Garcia Ave. Mt. View, CA 94043 All questions should be sent to bju@sun.com.