The purpose of this Policy is to explain the Yokogawa Group’s basic policy for the handling of vulnerabilities and its process to customers, computer emergency response team (CERT)(*1) organizations, vendors, researchers and other stakeholders. The Yokogawa Group is committed to responding to vulnerabilities in our products(*2) in accordance with this Policy.
The Yokogawa Group expresses its sincerest gratitude to stakeholders for collaboration in mitigating the risk of vulnerabilities, that are weakness to cyberattacks, with a view to ensuring the security of customers’ assets.
The Yokogawa Group shall work to support ensuring the safety of our customers' assets with the recognition that continuous risk assessment and taking measures to cyber-threats are one of the most important tasks for customers’ asset management.
With respect to the handling of vulnerabilities, the Yokogawa Group will offer information and countermeasures regarding the vulnerabilities of our products with a view to supporting customers to manage associated risks.
The process of handling vulnerabilities consists of the four steps described below.
The Yokogawa Group accepts information on vulnerabilities of our products from any party. Normally, the Group will contact the reporter regarding acceptance of the vulnerability information within one or two business days. The Group may ask for additional information.
Please report vulnerability information from the following:
Based on the concept of Coordinated Vulnerability Disclosure (CVD)(*3), the Yokogawa Group request to the reporter to report discovered vulnerabilities to the Yokogawa Group or CERT organizations in advance of disclosure.
The Yokogawa Group will investigate products that will be affected by vulnerabilities, The Group will share the results with the reporter. It will rate the level of severity of the vulnerabilities under the Common Vulnerability Scoring System (CVSS)(*4).
The Yokogawa Group will consider taking the following countermeasures and will make preparation in accordance with the level of severity of the vulnerabilities.
- Remediation: Patch, fix, upgrade and suchlike to either remove or mitigate a vulnerability
- Workaround: Actions and others aimed at reducing impacts of attacks that exploit vulnerabilities
The Yokogawa Group will provide customers with the Yokogawa Security Advisory Report (YSAR), which includes information on vulnerabilities. Before doing so, it will coordinate the YSAR’s content and the timing of its provision with the reporter and with CERT organizations.
- Content of the YSAR
The YSAR will include the following information.
- Descriptions of vulnerabilities
- Products and their versions affected by vulnerabilities
- Level of severity (rated under the CVSS)
- Details of countermeasures
- Information about the reporter (if the reporter agrees)
- Contact for inquiries
- Method of providing the YSAR
The Yokogawa Group will provide the YSAR in the following manners.
- Disclosure on the Yokogawa Group website
- Provision of information in accordance with maintenance service agreements for individual products
- Timing of provision of the YSAR
In principal, the Yokogawa Group will provide the information after it becomes ready to provide the remediation.However, it will consider offering information at the time it becomes ready to provide the workaround in a case where it is necessary to swiftly offer information to customers, such as cases where attacks exploiting the vulnerabilities have been already observed.
(*1) Organizations that accepts and publishes vulnerabilities information and that gives alert, such as JPCERT/CC, CERT/CC and ICS/CERT
(*3) A concept that the discoverer who discovered new vulnerabilities first discloses directly to the vendor or CERT organizations privately, then make the vendor prepare the countermeasures before the vulnerability information disclosure. It means each stakeholder cooperates to make a profit of product users a primary consideration.
(*4) A system of evaluation under which the level of severity of vulnerabilities is indicated on the scale from 0.0 to 10.0
Reference: Common Vulnerability Scoring System https://www.first.org/cvss/
For inquiries concerning the handling of vulnerabilities, please contact us at the following address.
November 20, 2018: Established