Toshiba Group collects information about vulnerabilities in our products and services, and evaluates their impact and risk based on this policy to allay any security concerns customers may have so that they will use them with confidence. When a vulnerability is validated, we will properly disclose information about the vulnerability and how to fix it at an appropriate time. We have been participating in the Information Security Early Warning Partnership*1 and the CVE Program*2 to promote actions based on this policy.
*1 Information Security Early Warning Partnership (IPA)
https://www.ipa.go.jp/en/security/vulnerabilities/partnership.html
*2 CVE Program
https://www.cve.org/
Collecting vulnerability information
Toshiba Group collects information about vulnerabilities in our products and services from a wide range of sources. If you discover any vulnerability in our product or service, please contact Toshiba Group’s point of contact for vulnerability information (i.e., Toshiba PSIRT) or vulnerability coordination bodies and report it.
Please include at least the following information in the report:
- Name of the product or service concerned
- Description of the vulnerability and its anticipated impact
Please encrypt the e-mail using PGP.
After receiving vulnerability information, we will inform reporter of its acceptance within three business days, except during specific holidays. We might refrain from taking any action if we find that the report is not aligned with this policy.
Vulnerability investigation and countermeasure
We will share the accepted vulnerability information within Toshiba Group and investigate it. If we have identified it as a new vulnerability, we will assess its impact and risk. If, as a result of the assessment, we have confirmed the need for vulnerability mitigation, we will work to address the vulnerability and prepare countermeasures. At this time, we will engage with other stakeholders as necessary. If we have determined that it is not a new vulnerability, we will close the investigation upon appropriate communication with the reporter.
We will properly manage information about vulnerabilities, their countermeasures, and other related matters within Toshiba Group and will not disclose to any third parties before it is published.
Communications with the reporter of vulnerability
We will communicate properly with the reporter of a vulnerability and give him/her updates on the progress of its investigation and subsequent actions, at least when we:
- have identified a new vulnerability in Toshiba Group’s product or service;
- have changed its view because of investigation or assessment;
- engage with stakeholders other than the reporter;
- prepare to publish a vulnerability report; and
- close a case.
We may ask the reporter to provide additional information during the above processes. All communications with the reporter will be by email. To prevent unintended leakage of email messages, we may request that emails be encrypted. Toshiba Group shall never sue the reporter of a vulnerability for his/her goodwill reporting and cooperation.
Publication
When customers need to do anything to reduce cybersecurity risk, we will disclose information about the vulnerabilities and how to fix them at an appropriate time on our website, the Japan Vulnerability Notes (JVN*3) portal site, etc. If CVE ID is not assigned to the vulnerabilities, we will assign CVE IDs to the vulnerabilities as a CNA (CVE Numbering Authority) and include them in the publication. In cases where a specific customer might be affected regarding a social infrastructure product or service, we might contact the customer directly through our sales representative, etc.
*3 JVN: Japan Vulnerability Notes
https://jvn.jp/en/
Acknowledgment
We will post our acknowledgment to the people who have contributed to the discovery and fixing of vulnerabilities in the publication after agreement with contributors.
Revision History
July 18, 2025: Added detailed descriptions
June 16, 2021: First version