Sun's new security customer warning system

J Paul Holbrook ph at cert.sei.cmu.edu
Thu Aug 16 05:48:24 AEST 1990 

The following message describes Sun's new Customer Warning System for
security problems.  This message was sent to all employees at Sun and was
sent to us by Sun's Beverly Ulbrich, who is Product Manager for Software
Security.  Ms. Ulbrich has given us permission to redistribute this
information to anyone who might be interested.

This message describes the methods customers should use to report security
problems to Sun and a way to sign up to receive warnings from Sun about
security problems.

Please direct any questions you have about the specifics of Sun's
mechanism to one of the Sun employees listed below.

J. Paul Holbrook
Computer Emergency Response Team
Internet: <cert at CERT.SEI.CMU.EDU>
(412) 268-7090  
24 hour hotline: CERT personnel answer 7:30am-6pm EST, on call for
   emergencies other hours

----------------------------------------------------------------------

X-From: Beverly Ulbrich - Product Manager, Software Security
        Jack Collins - Director, Technical Support Services

X-Subject:  Announcing Sun Microsystem's Customer Warning System 
                   for Security Incident Handling  

In order to best serve our customers' service needs, Sun has established a
Customer Warning System (CWS) for handling security incidents.  This is a
formal process which includes:

	- Having a well advertised point of contact in Sun for reporting 
	  security problems. 			
	- Pro-actively alerting customers of worms, viruses or other security 
	  holes that could affect their systems. 
	- Distributing the patch (and/or work-around) to our customers as 
	  quickly as possible.

More specifically, the CWS is being set up as follows:

We have created an email address ( security-alert at sun ) which will enable
both internal and external people to have a single place to report
security problems.  We have provided a voice-mail back-up ( (415)-336-7205
) for the cases where sending email is not possible.   *ALL* SECURITY
HOLES SHOULD BE REPORTED TO THIS ALIAS.

We have filled the position of "Security Coordinator" in our Customer
Service Organization.  The Security Coordinator is responsible for manning
the email and voice mail hotlines and evaluating the security problems.
We have a Customer Warning System "SWAT Team" in place to address severe
security incidents.  The CWS SWAT Team consists of knowledgeable senior
people within Sun Corporate who are committed to being available to meet
whenever required and who are empowered to make all necessary decisions.  

We plan on publicizing the CWS bi-monthly to the allsun alias.  It will
also be announced (and supported) by the various Computer Emergency
Response Teams Sun works with.  Please pass this information along to
whoever you feel is appropriate.  Sales Representatives should be certain
to send this information to all their security-conscious customers!

Customers and Sun Field Offices may send us a "Security Contact" from
their organizations.  This is the person Sun should contact in the case of
any new security problems.  He or she will be sent information on the
problem at hand, including work-arounds and how and when to obtain fixes.
Preferably, your Security Contact should be technical.  He or she should
be your site's System Administrator (or System Security Administrator).
The information we need for the Security Contact from the three
geographies for customers is as follows:

---------------------- U.S. Security Contact Information --------------------

Company Name:
Security Contact's Name:
Customer Number (from Cullinet):
Address ID (from Cullinet)*:

Postal address: 
Email address: 
Phone number:
Fax number: 
Preferred method of contact (from above: 1st, 2nd and 3rd choice):


* If there is not an existing Address ID, we need the full address for
  the security contact.



----------------- Europe and ICON Security Contact Information ---------

Company Name:
Security Contact's Name:
Customer Number:
Address Id:
If there is no customer number or Address ID, then we need the following
information for each customer:

Postal Address:
Email Address:
Phone Number:
Fax Number:
Preferred method of contact (from above: 1st, 2nd and 3rd choice):

--------------- Sun Field Office Security Contact Information ---------------

Office Location:
Security Contact's Name*:
Email address:

*One per office

----------------------------------------------------------------------------

*****   PLEASE SEND THIS INFORMATION TO:   *****

 	  security-alert at sun.com

or, if you prefer postal mail:

	Brad Powell
	c/o Sun Microsystems
	MTV18-04
	2550 Garcia Ave.
	Mt. View, CA 94043

All questions should be sent to bju at sun.com.

More information about the Comp.sys.sun mailing list