What is the process and schedule used by the Juniper Networks SIRT for disclosing information to customers regarding vulnerability-related issues?
Improve support by publishing Juniper Security Advisories and Security Notices to customers on a deterministic, periodic basis.
The Juniper Networks Security Incident Response Team (Juniper SIRT) constrains the publication of Juniper Security Advisories and Security Notices for non-urgent issues to a predefined quarterly schedule of the second Wednesdayof January, April, July, and October, covering all Juniper products.
In exceptional circumstances, the Juniper SIRT may publish an out-of-cycle Security Advisory or Security Notice, but that is intended to be a rare event. Examples include, but are not limited to, active malicious exploitation of a zero-day Juniper vulnerability, or perhaps a multi-vendor issue in which all participating parties must publish simultaneously on a schedule negotiated by an external coordinating agency.
The Juniper SIRT considers numerous criteria for determining if an issue warrants SIRT attention and, if so, how and to what range of products and software releases a fix will be applied, and also how and when the issue will be published. The Juniper SIRT uses the Common Vulnerability Scoring System (CVSS) to rank an issue as one factor in its evaluation. Information for how Juniper Networks uses CVSS can be found in KB16446 in the Related Links section below.
More information regarding the Juniper SIRT, including methods by which to report a product security vulnerability, is also available in the Related Links section below.