The scope of the Verizon VDP includes Verizon products and Verizon-supported products and is intended for the reporting of vulnerabilities. For example, Verizon-branded devices such as mobile hot spots, fiber routers, Verizon phone applications (e.g., My Verizon), etc.
At the present time Verizon does not investigate nor report vulnerabilities for other vendors, products, or services. Verizon commits to the following:
- Make all reasonable attempts to notify OEM suppliers of any vulnerabilities for Verizon-branded products.
- In the event of a vulnerability report for an OEM product, Verizon will forward vulnerability reports to the appropriate supplier.
- Reports submitted to Verizon will be analyzed by the appropriate internal security teams, verified, and disclosed via CISA as a CVE.
- Response times will vary depending on the type of vulnerability, but will generally be within 5 business days.
- Not publicly disclose a vulnerability while the supplier develops a fix or mitigation (or until 90 days have expired, whichever comes first).
- Coordinate the Public Disclosure date and publishing vulnerability advisories with the supplier. Disclosure consists of a published CVE as well as documentation located on the Verizon CVE page.