CSIRT Description

The following so that customers can use it comfortably and with peace of mind
We set a service level as a target and operate it.

Document Information

Distribution List for Notifications

We report the update notification of this document at our website.

Locations where this Document May Be Found

You can check the following URL.

  • https://www.cybozu.com/jp/productsecurity/management/cysirt-en.html

Contact Information

Name of the Team

Official name:
Cybozu Inc. Security Incident Response Team
Abbreviation:
Cy-SIRT

Address

Tokyo Nihonibashi Tower 27F
2-7-1 Nihonbashi, Chuou-ku, Tokyo, 103-6028 Japan

Date of establishment

August 4, 2011

Time Zone

Japan Time (GMT +0900 throughout the year)

Telephone Number

+81-3-6324-3999

Facsimile Number

We do not hold.

Electronic Mail Address

Please contact us from the following e-mail address when you inform us of security incidents including confidential information.

Please contact us from the following e-mail address when you inform us of security information on products.

Public Keys and Encryption Information

Information on Cy-SIRT’s public key is as follows.

Security Office
  • Key ID:0x1ACA0390

  • Key Type:4,096-bit RSA (secret key available)

  • Key Finger Print:4EC5 78C3 8FD9 EF99 CA98 5EED 3E41 917A 1ACA 0390

Cy-PSIRT
  • Key ID:0x427D2E57

  • Key Type:4,096-bit RSA (secret key available)

  • Key Finger Print:BA13 6407 6063 621D AE10 0351 3FFA 20DF 427D 2E57

Team Members

Representative: Yoichi Akeo (Security Office)

Coordinator:Kazuki Niizeki (Cy-PSIRT) , Ikue Yamanishi (Cy-PSIRT) , Yuriko Otsuka (Cy-PSIRT) , Shinya Kubo(Cy-PSIRT), Hitomi Nagatomo (Cy-PSIRT) , Jumpei Otsuka (Cy-PSIRT) , Shima Nakaido (Security Office) , Ding jie (Security Office) , Tatsuya Konishi (Cy-PSIRT) , Ibuki Taguchi(Cy-PSIRT)

Operating Hours

We accept 24 hours, but the available time is as follows.

09:00 – 18:00(GMT +09:00)(weekday only, except year-end and new year)

Team Logo

Points of Customer Contact

Please contact us from the following form when you inform us of security information on Cybozu products.

Please contact us from the following form when you inform us of security incidents on Cybozu.

In both cases we will contact you in either Japanese or English.

Charter

Mission Statement

Cy-SIRT was established to strength the conventional system when we start the cloud service.
We aim to cooperate with outside organizations and experts to prevent incidents occurrence, to detect early, to resolve incidents as soon as possible, and to minimize incidents when they occur.

Constituency

Cy-SIRT has been placed in the Cybozu,Inc.
The constiency of Cy-SIRT will be the customer who is considering using our service or using our service and the partner who handles our products.

Composition

Cy-SIRT has two functions.

PSIRT (Cy-PSIRT)
Cy-PSIRT works to improve the security quality of Cybozu products.
CSIRT(Security Office)
Security Office works for the purpose of handling security incidents and preventing them in Cybozu.

Authority

Cy-SIRT has the authority to do the following:

  • 1. Support for vulnerability information on Cybozu products
  • 2. Information management and transmission regarding incidents occurring in our products and services
  • 3. Information gathering and transmission to prevent security incidents

We do not do the following:

  • Direct correspondence to security incidents occurred in our company
  • Field survey on the system we are introducing
  • Direct response to incidents occurring in the service you are introducing
Support for vulnerability information on Cybozu products
Cy-SIRT has authority to contact other organizations and communities as part of support response.
Information gathering and transmission to prevent security incidents
Cy-SIRT periodically conducts vulnerability verification on each service in order to prevent the occurrence of security incidents in advance.

Policies

Type of Incident and Level of Support

Cy-SIRT will support you for inquiries addressed to e-mail address and web form.
For information received during the course of support work, we will deal with the internal regulations.

Co-operation, Interaction and Disclosure of Information

Policy on collaboration with other organizations and communities

Cy-SIRT has authority to contact other organizations and communities as part of support response. We will use the following e-mail address for contact.

Policy on information provision to police agencies
Cy-SIRT does not have the authority to directly contact the police agency.
We will contact the existing organization in our company and contact the related agencies.
Policy on providing information to media
Cy-SIRT does not have the authority to contact the media directly.
We will contact the existing organization in our company and contact the related agencies.

Communication and Authentication

Please contact us from the following form when you inform us of security information on Cybozu products.

Please contact us from the following form when you inform us of security incidents on Cybozu.

You can contact us by email using PGP when you send information on security incidents including confidential information.

Services

Incident Response

Cy-SIRT collects technical information necessary for handling incidents related to our service and supports system administrator’s incident response.

Incident Triage
Cy-SIRT determines the importance of vulnerability according to CVSS v3 (Also consider feasibility and unique characteristics of products and services.).
Based on the judgment result, we will respond according to our company regulations.
Incident Coordination
In accordance with our company regulations, Cy-SIRT will cooperate with external organizations to disclose information to the outside. For incidents that we can not solve, we will cooperate with other organizations and contact the police agency through the legal department if necessary.
Incident Resolution
We will analyze incidents caused by products and advise on recurrence prevention measures.

Proactive Activities

Cy-SIRT is working on the following activities with the objective of preventing incidents in advance.

  • Penetration test of our service
  • Web application vulnerability diagnosis
  • Management of third party products and services that we use
  • Review of our products and service verification plans
  • Assist in planning our incident response plan and review

Disclaimers

Cy-SIRT assumes no responsibility for any losses caused directly or indirectly by using the information contained in this description document or by using it.