Security Incident Response Policy
The Ruckus Security Incident & Response Team (SIRT) is responsible for researching, analyzing and responding to security incident reports related to the Ruckus products. This team is the first point of contact for all security incident reports and works directly with Ruckus customers, partners, security researchers, government organizations, consultants, industry security organizations, and other vendors to identify security issues with Ruckus products.
Reporting Security Issues to Ruckus
Ruckus encourages individuals and organizations to report all product related vulnerabilities and security issues directly to Ruckus Networks. Ruckus SIRT team may be contacted via: [email protected].
Please provide:  detailed description of the issue,  information to reproduce the issue,  technical contact and,  list of Ruckus products affected and  logs or any other helpful information.
Ruckus highly recommends protecting the email communication with the PGP key provided on our security page for encrypting any sensitive information sent to Ruckus. Ruckus treats all security reports with confidentiality and urges the reporter to follow the same and not engage in disclosure to other parties until Ruckus has responded and provided a resolution plan.
Lifecycle of a Reported Security Issue
Within Ruckus, the SIRT’s focus is on validating the issue swiftly, identifying and prioritizing resources appropriately and providing a mitigation path as soon as practicable. The steps below outline the typical lifecycle of a reported security incident at Ruckus (see Figure 1, below):
1. Report is received
Ruckus receives the report via [email protected] email address or through other sources such as support organization, field engineers, sales team, email, etc.
2. Reproduction, Validation and Prioritization
The reported issue is evaluated, reproduced and validated by the SIRT. Along with other factors, the SIRT uses version 3.0 of the Common Vulnerability Scoring System (CVSS) in assigning an internal priority to the issue.
Ruckus aims to issue an acknowledgement of receipt of the initial report within two working days. If Ruckus does not consider the report to be a valid security concern, then the reporter is informed accordingly and the issue is not pursued any further. All communication originating from Ruckus regarding the reported issue are protected with SIRT’s PGP key (see our security page).
3. Resolution Plan
Once the reported issue has been validated and prioritized, a resolution plan is developed. This plan identifies affected products, active code branches that may require a patch fix, lists known workarounds and outlines schedules for availability of the fixes. For very high priority issues, the plan may include releasing emergency patch releases. Ruckus follows this resolution plan to allocate resources for timely resolution of the reported issue.
4. Mitigation Verification
Ruckus releases the patched fixes and the workarounds to the SIRT. Ruckus QA team performs verification. Optionally, the reporting party might also be engaged by the SIRT.
5. Customer Communication
Once the mitigation measures have been verified, the SIRT compiles a security advisory explaining the nature of the security issue and detailing how this issue affects Ruckus products. The advisory also contains details of the relevant mitigation steps (including any workarounds) and how to apply them. The security advisory contains a CVSS score to help customers understand the severity of the issue and plan upgrades etc.
The security advisory is released simultaneously to all Ruckus customers and partners worldwide who are under existing support arrangements. Ruckus does not engage in selective disclosure of security issues in general but reserves the right to do so under exceptional circumstances (e.g. national security). This customer communication is protected with the SIRT’s PGP key (see our security page). A copy of this advisory is also provided to the original reporting party.
6. Public Notification
The security advisory is made publicly available 60 days after the supported customer and partner notification goes out. The purpose of the notification window is to allow Ruckus customers and partners ample time to perform any required upgrades and implement the mitigation steps outlined in the security advisory. This window is at discretion of Ruckus and is subject to change without notification.
The security advisories are made publicly available on the public Ruckus security page which contains complete archive of all publicly released security advisories. Another source on public vulnerability disclosure is the BugTraq mailing list.
All patches are made available on the Ruckus support site for customers with current support contracts.