Vulnerability Management

Lexmark’s ultimate goal is to produce software and hardware that is free from security-related vulnerabilities, however, the sheer complexity of the code in the products results in the need to be able to address security-related issues in released products. Lexmark’s software and hardware products contain hundreds of files, thousands of objects, and tens of millions of lines of code and a product that was released with no known vulnerabilities may indeed have new vulnerabilities identified over time. This can be due to a previously unidentified vulnerability found in custom code written by Lexmark, in a common shared system library, or in a third-party library integrated into the Lexmark software or firmware. Lexmark’s security staff and experts monitor multiple channels for the identification of new security vulnerabilities including: internal review, customer service, security-focused press, security-related academic research, and technical alerts from organizations like NIST-National Vulnerability Database and US-Computer Emergency Readiness Team (US-CERT). Additionally, Lexmark uses scanning tools during the implementation phase that scan source code for out-ofdate or vulnerable shared libraries.

Registration

Sign up here for the latest security alerts.

Identification Process

When new vulnerabilities are identified which might affect Lexmark’s products, they are addressed via the following process:

1. The vulnerability is analyzed to determine if it affects the product. (Vulnerabilities found in shared system or third-party code libraries may not apply, depending on the way the code is used in the system).

2. Lexmark’s security staff determines if the exploit mechanism for the vulnerability is possible in Lexmark’s implementation.

3. If yes, then the security bug is scored using industry standard Common Vulnerability Scoring Systems (CVSS). Note: The severity score published in a technical alert may score differently in specific implementations.

4. Internal processes are initiated to log, track, patch, and test the bug fix, and updated code is provided via a patch process.

5. If the CVSS score warrants, Lexmark will issue a security advisory for the products affected.

Additional details can be found in our Secure Software Development Lifecycle (SSDL) Whitepaperopens in a new tab.

Submitting an issue

For product security vulnerabilities affecting Lexmark printers, send an e-mail to securityalerts@lexmark.com.

You may use Lexmark's PGP key to encrypt sensitive information (Click hereopens in a new tab to download our PGP public key).   Please also include your PGP key so we may communicate with you on sensitive issues.

Are you a small business owner/operator?
Learn more here about why secure printing should matter to your small business.