CSIRT Description

We report the update notification of this document at our website.

You can check the following URL.

• https://www.cybozu.com/jp/productsecurity/management/cysirt-en.html

Official name:

Cybozu Inc. Security Incident Response Team

Abbreviation:

Cy-SIRT

Tokyo Nihonibashi Tower 27F
2-7-1 Nihonbashi, Chuou-ku, Tokyo, 103-6028 Japan

August 4, 2011

Japan Time (GMT +0900 throughout the year)

+81-3-6324-3999

We do not hold.

Please contact us from the following e-mail address when you inform us of security incidents including confidential information.

• security@cybozu.co.jp

Information on Cy-SIRT’s public key is as follows.

Security Office

• security@cybozu.co.jp
• https://www.cybozu.com/jp/features/management/security_office.asc

• Key ID：0x1ACA0390

• Key Type：4,096-bit RSA (secret key available)

• Key Finger Print：4EC5 78C3 8FD9 EF99 CA98 5EED 3E41 917A 1ACA 0390

Cy-PSIRT

• productsecurity@cybozu.co.jp
• https://www.cybozu.com/jp/features/management/cy-psirt.asc

• Key ID：0x74885C93

• Key Type：4,096-bit RSA (secret key available)

• Key Finger Print：D1DE 800A 3D15 D26F 4414 CD6E 2D01 4950 7488 5C93

Representative: Yoichi Akeo (Security Office)

Coordinator:Kazuki Niizeki (Cy-PSIRT) , Ikue Yamanishi (Cy-PSIRT) , Yuriko Otsuka (Cy-PSIRT) , Shinya Kubo（Cy-PSIRT）, Hitomi Nagatomo (Cy-PSIRT) , Jumpei Otsuka (Cy-PSIRT) , Shima Nakaido (Security Office) , Shun Sugiyama (Security Office) , Tatsuya Konishi (Cy-PSIRT) , Ibuki Taguchi（Cy-PSIRT）, Koji Nedate (Security Office) , Jun Matsumoto (Security Office)

We accept 24 hours, but the available time is as follows.

09:00 – 18:00（GMT +09:00）（weekday only, except year-end and new year）

Please contact us from the following form when you inform us of security information on Cybozu products.

• https://www.cybozu.com/jp/productsecurity/management/security_en.html

Cy-SIRT was established to strength the conventional system when we start the cloud service.
We aim to cooperate with outside organizations and experts to prevent incidents occurrence, to detect early, to resolve incidents as soon as possible, and to minimize incidents when they occur.

Cy-SIRT has been placed in the Cybozu,Inc.
The constiency of Cy-SIRT will be the customer who is considering using our service or using our service and the partner who handles our products.

Cy-SIRT has two functions.

PSIRT (Cy-PSIRT)

Cybozu’s PSIRT team (Cy-PSIRT) works to continuously enhance the security of products and services developed and offered by Cybozu, and to respond to incidents, including bugs and technical failures, that may affect these products and services.

CSIRT（Security Office）

Security Office works for the purpose of handling security incidents and preventing them in Cybozu.

Cy-SIRT has the authority to do the following:

• 1. Support for vulnerability information on Cybozu products
• 2. Information management and transmission regarding incidents occurring in our products and services
• 3. Information gathering and transmission to prevent security incidents

Support for vulnerability information on Cybozu products

Cy-SIRT has authority to contact other organizations and communities as part of support response.

Information gathering and transmission to prevent security incidents

Cy-SIRT periodically conducts vulnerability verification on each service in order to prevent the occurrence of security incidents in advance.

Cy-SIRT will support you for inquiries addressed to e-mail address and web form.
For information received during the course of support work, we will deal with the internal regulations.

Policy on collaboration with other organizations and communities

Cy-SIRT has authority to contact other organizations and communities as part of support response. We will use the following e-mail address for contact.

• security@cybozu.co.jp
• productsecurity@cybozu.co.jp

Policy on information provision to police agencies

Cy-SIRT does not have the authority to directly contact the police agency.
We will contact the existing organization in our company and contact the related agencies.

Policy on providing information to media

Cy-SIRT does not have the authority to contact the media directly.
We will contact the existing organization in our company and contact the related agencies.

Policy on disclosing Cybozu’s use of open-source software

Due to security considerations, we do not disclose information about the open-source software Cybozu uses.
Direct inquiries requesting such information will not be answered.

Please contact us from the following form when you inform us of security information on Cybozu products.

• https://www.cybozu.com/jp/productsecurity/management/security_en.html

Cy-SIRT collects technical information necessary for handling incidents related to our service and supports system administrator’s incident response.

Incident Triage

Cy-SIRT determines the importance of vulnerability according to CVSS v3 (Also consider feasibility and unique characteristics of products and services.).
Based on the judgment result, we will respond according to our company regulations.

Incident Coordination

In accordance with our company regulations, Cy-SIRT will cooperate with external organizations to disclose information to the outside. For incidents that we can not solve, we will cooperate with other organizations and contact the police agency through the legal department if necessary.

Incident Resolution

We will analyze incidents caused by products and advise on recurrence prevention measures.

Cy-SIRT is working on the following activities with the objective of preventing incidents in advance.

• Penetration test of our service
• Web application vulnerability diagnosis
• Management of third party products and services that we use
• Review of our products and service verification plans
• Assist in planning our incident response plan and review
• Research about vulnerabilities in open-source software that Cybozu utilizes