TCG Vulnerability Disclosure Policy

Overview

The Trusted Computing Group (TCG) as a standards organization is committed to receiving and responding to reports of potential vulnerabilities in TCG-developed technologies such as specifications, reference code, and reference documents. Our goal is to provide our adopters with timely information, guidance, and mitigation options to address vulnerabilities. The TCG Vulnerability Response Team (VRT) is chartered and responsible for coordinating the response and disclosure of specification vulnerabilities that are reported to TCG.

Reporting security vulnerabilities

TCG recommends that reporters also contact the Vulnerability Response Teams for the vendor whose implementation contains the potential issue. You can find a list of TCG member company response teams below.

Company Response Teams

CompanyEmailWebsite
Advanced Micro Devices, Inc (AMD)
[email protected]
https://www.amd.com/en/corporate/contact-product-security
Aruba, a Hewlett Packard Enterprise Company
[email protected]
https://www.arubanetworks.com/support-services/sirt/
Dell[email protected]www.dell.com/security
GE
[email protected]
https://www.ge.com/security
Hewlett Packard Enterprise
[email protected]
https://www.hpe.com/h41268/live/index_e.aspx?qid=11503
Intel Corporation[email protected]www.intel.com/security
Lenovo
[email protected]
https://www.lenovo.com/us/en/product-security/reporting-a-vulnerability
Microsoft
[email protected]
http://www.microsoft.com/msrc
Phison Electronics Corp.
[email protected]
https://www.phison.com/en/
STMicroelectronics[email protected]https://www.st.com/psirt
UK’s National Cyber Security Centre (NCSC)
[email protected]
https://www.ncsc.gov.uk/information/vulnerability-reporting

 

If you identify a vulnerability in our specifications, reference code, and reference documents please report it immediately. Reports can be sent to [email protected]. Timely identification of security vulnerabilities is critical to mitigating potential risks to our adopters. When reporting a vulnerability, please include as much of the below information to help us better understand the nature and scope of the reported issue:

  • Finder’s email
  • Vulnerability Description (Include vulnerability details and how to reproduce the issue)
  • The version label for the affected software or document
  • Finder’s PGP public key if available or via standard means

Please note that the TCG is currently limited to inquiries and responses written in English.

Handling security vulnerabilities

TCG monitors for submissions and acknowledges initial receipt within 3 business days. The vulnerability response activities will be tailored to the circumstances and will generally proceed as follows: 1) Triage report 2) Remediation determined 3) Communication plan 4) Mitigation 5) Response.

TCG strives to provide the remedy or corrective action in the shortest commercially reasonable time. Response timelines will depend on many factors, such as the severity, the remedy complexity, the affected component (e.g., some updates require longer validation cycles or can only be updated in a major release), or the stage of the product within its lifecycle, among others. TCG VRT will coordinate with the finder throughout the vulnerability investigation and provide the finder with updates on case progress.

Coordinated Disclosure Practices

TCG follows multi-party coordinated disclosure practices, under which vulnerabilities are generally publicly disclosed only after mitigations are made available to customers. This allows the vendors the opportunity to triage and offer tested updates, workarounds, or other corrective measures before any involved party discloses detailed vulnerability or exploit information to the public. Multi-party coordinated disclosure industry best practices is designed to protect technology adopters. Public disclosure of a potential vulnerability before mitigations are deployed could allow adversaries to exploit the vulnerability.

In most cases, TCG will disclose mitigations through TCG Security Advisories where applicable. The TCG Security Advisories will typically include the following information:

  • Date of publication
  • CVE ID’s
  • CVSS v3.1 scoring
  • Details of the vulnerability in the affected TCG specification and potential impacts
  • Erratum
    • Remediation or workaround, if any (link)
  • Acknowledge the finder and/or the finder’s organization

Severity Rating

A security vulnerability is classified by its severity rating, which is determined by many factors, including the level of effort required to exploit a vulnerability as well as the potential impact to data or business activities from a successful exploit. TCG uses the Common Vulnerability Scoring System version 3.1 (CVSS v3.1) to identify the severity level of identified vulnerabilities. The full standard is maintained by FIRST.

Disclaimer

This Vulnerability Response Policy (“Policy”) does not constitute a warranty or alter the terms of any license with respect to any TCG-developed technology.  TCG reserves the right to change or update this Policy without notice at any time and on a case-by-case basis.  Response is not guaranteed for any specific issue or class of issues. Your use of the information in this Policy or materials linked from the Policy is at your own risk.

Join

Membership in the Trusted Computing Group is your key to participating with fellow industry stakeholders in the quest to develop and promote trusted computing technologies.

Join Now

Trusted Computing

Standards-based Trusted Computing technologies developed by TCG members now are deployed in enterprise systems, storage systems, networks, embedded systems, and mobile devices and can help secure cloud computing and virtualized systems.

Read more

Specifications

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform Module) Library Specification was approved as a formal international standard under ISO/IEC (the International Organization for Standardization and the International Electrotechnical Commission). TCG has 90+ specifications and guidance documents to help build a trusted computing environment.

Read more