ALE Product Security Incident Response Team

ALE Product Security Incident Response Team

We acknowledge the importance for our customers to rely on secure products and solutions. Therefore it is our goal to ensure that Alcatel-Lucent Enterprise (ALE) products are developed with all appropriate security principles as basis. We follow a comprehensive security program that combines:

  • Secure software development best practices, processes, and tools
  • Rigorous product security requirements
  • Periodic validation and quality of security testing before release

Despite these security principles and related actions, vulnerabilities can be discovered in the software components of our products which, when exploited, can have an impact on the security level of these products once deployed in customer's networks.

Addressing security issues is the responsibility of the ALE Product Security Incident Response Team (PSIRT).  ALE PSIRT is dedicated to manage the requests, investigation and reporting about vulnerabilities or technical issues impacting ALE products and solutions.

Reporting a suspected Security Vulnerability

Individuals or organizations that are experiencing technical security issue with an ALE product or solution are strongly encouraged to contact the ALE PSIRT by following these steps:

  1. Obtain the ALE PSIRT PGP public key, this will ensure the confidentiality of the communication. Confidentiality is a key point at this step to protect the security of our customers in regards with our responsible disclosure policy.
  2. Complete the vulnerability summary report (VSR
  3. Send the completed  report to the email address:
  4. Consider sending the report email with the reporting organization’s public PGP key and  by encrypting the message with the ALE PSIRT PGP public key.

The ALE PSIRT process detailed hereunder will be followed while maintaining the discussion with the reporter. Communication with all involved parties is a key activity in our vulnerability solution process.

Other channels for contacting Alcatel-Lucent Enterprise

Customers are also encouraged to report suspected security vulnerabilities via their usual support channels.
Depending on the maintenance contract, these contact points will be able to assist in more general situations such as:

  • technical assistance to determine if a security problem exists
  • configuring an ALE product for a specific security-related function
  • questions about an announced security problem with an ALE product
  • Implementation of any workarounds defined for the vulnerability

Note that ALE PSIRT should NOT be contacted to report or get support for security incidents that are happening "live" in deployed networks and solutions. Such incidents are to be reported only via the usual customer support channels.

ALE Product Security Incident Response Process

  1. Reporting the vulnerability via
  2. ALE acknowledges the reception of the VSR to the reporter
  3. ALE PSIRT analyzes the relevancy. Reporters will be informed on a regular basis about the status information of ongoing investigation of the vulnerability
  4. ALE PSIRT communicates analysis conclusions with the reporter
  5. If any impacts are confirmed ALE will:

- Coordinate fix and impact assessment
- Define timeframe of correction delivery, notification plans, and disclosure to public organizations such as and CERT organizations

ALE Product Security Incident Response Process

Confidentiality - ALE PSIRT PGP public key

ALE PSIRT process ensures that neither unauthorized ALE employees nor outside users will get access to the information provided by the incident reporter. ALE also guarantees that on request, the name of the incident reporter will not be disclosed in public communications or be used in further external distribution. Similarly, the ALE PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the ALE PSIRT on the ALE websites through the appropriate coordinated disclosure.

For ensuring the confidentiality of the reporting and following steps of communication with ALE PSIRT, we encourage sending encrypted messages using the following ALE PGP public key and sending in return the public PGP key of the incident reporter.

Version: GnuPG v2


Key-ID : F5FBB615
Fingerprint: 7C52 9AB3 661A 9034 5A6C 7713 0A7D AAEC F5FB B615
E-mail :

This public key can be found on
Version: PGP Universal 2.9.1 (Build 347)


Third-Party Software Vulnerabilities

ALE PSIRT works with third-party coordination centers such as CERT-IST, NVD, US-CERT to manage vulnerabilities notices reported on third-party software embedded or used in ALE products and solutions. The reports are referred to with a unique CVE number (Common Vulnerabilities and Exposures After). Each issued CVE is analyzed by ALE teams to provide an adjusted risk score that reflect s the effective impact on our products.

Risk assessment

ALE PSIRT uses the version 3.0 of the Common Vulnerability Scoring System (CVSS) for evaluation of the reported and analyzed vulnerabilities. Although the cvss numerical score gives standard information about the estimated risk on a given vulnerability, we often abstract it to a more comprehensive scale of impact with following values:

Risk impact

CVSS score

Color code











3.9 or below


Responsible Disclosure

If one or more of the following conditions exist, ALE will publicly disclose a Security Advisory:

  1. An  incident response process has been completed and it has been determined that enough software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high to critical severity vulnerabilities.
  2. An active exploitation of vulnerability has been observed that could lead to increased risk for our customers. Early Security Advisories may then be published prior to the publication of available patches or corrections in order to inform our customers about potential risks.
  3. Public information about the vulnerability can expose our customers to potential increased risk. Early Security Advisories may then be published prior to the publication of available patches or corrections in order to inform our customers about potential risks.

All security publications are disclosed via the ALE business portal website. ALE reserves the right to deviate from this policy on an exception basis to ensure software patch availability and our customer’s security.


Edition Date Issued
SA-G0001-WannaCry General Security Information ed02 5/15/2017
SA-C0058-Multiple vulnerabilities on OmniVista 8770 ed01 5/1/2017
SA-C0059-Information about Struts vulnerabilities ed01 5/1/2017
SA-N0042-Apache Struts Remote Code Execution Vulnerability ed01 3/13/2017
SA-N0041-IPv6 Neighbor Discovery vulnerability CVE-2016-1409 ed01 3/10/2017
SA-N0034-AOS Release 7 and 8 Resumption of Issu upgrade ed02 2/8/2017
SA-N0040-OV3600 Management Platform Multiple Vulnerabilities January 2017 ed01 1/19/2017
SA-C0057-Linux Kernel Dirty Cow ed02 1/3/2017
SA-N0039-OmniAccess WLAN Dirty Cow Linux Kernel Vulnerability ed01 11/6/2016
SA-N0038 OmniAccess WLAN Products and 31st December Leap Second ed01 11/2/2016

>> Click for more