Purpose of the Policy

本政策的目的是解释横川集团对漏洞的处理及其流程的基本政策,计算机紧急响应团队(CERT)(*1)组织,供应商,研究人员和其他利益相关者。横川集团致力于根据本政策来应对我们产品中的漏洞(*2)。vwin官方网站
The Yokogawa Group expresses its sincerest gratitude to stakeholders for collaboration in mitigating the risk of vulnerabilities, that are weakness to cyberattacks, with a view to ensuring the security of customers’ assets.

Basic Policy

The Yokogawa Group shall work to support ensuring the safety of our customers' assets with the recognition that continuous risk assessment and taking measures to cyber-threats are one of the most important tasks for customers’ asset management.
关于处理漏洞,横川集团将提供有关我们产品脆弱性的信息和对策,以支持客户管理相关风险。vwin官方网站

Process

处理漏洞的过程包括下面描述的四个步骤。

1. Acceptance of information

The Yokogawa Group accepts information on vulnerabilities of our products from any party. Normally, the Group will contact the reporter regarding acceptance of the vulnerability information within one or two business days. The Group may ask for additional information.
Please report vulnerability information from the following:
https://contact.yokogawa.com/cs/gw?c-id=000983

Based on the concept of Coordinated Vulnerability Disclosure (CVD)(*3), the Yokogawa Group request to the reporter to report discovered vulnerabilities to the Yokogawa Group or CERT organizations in advance of disclosure.

2. Investigation of vulnerabilities

The Yokogawa Group will investigate products that will be affected by vulnerabilities, The Group will share the results with the reporter. It will rate the level of severity of the vulnerabilities under the Common Vulnerability Scoring System (CVSS)(*4).

3. Preparations for countermeasures

横川集团将考虑采用以下对策,并根据漏洞的严重程度进行准备。
- Remediation: Patch, fix, upgrade and suchlike to either remove or mitigate a vulnerability
- Workaround: Actions and others aimed at reducing impacts of attacks that exploit vulnerabilities

4. Information offering

The Yokogawa Group will provide customers with the Yokogawa Security Advisory Report (YSAR), which includes information on vulnerabilities. Before doing so, it will coordinate the YSAR’s content and the timing of its provision with the reporter and with CERT organizations.
- Content of the YSAR
The YSAR will include the following information.
- Descriptions of vulnerabilities
- vwin官方网站产品及其受漏洞影响的版本
- Level of severity (rated under the CVSS)
- Details of countermeasures
- Information about the reporter (if the reporter agrees)
- 联系查询
- 提供YSAR的方法
The Yokogawa Group will provide the YSAR in the following manners.
- Disclosure on the Yokogawa Group website
//www.zhisiyu.com/library/resources/white-papers/yokogawa-security-advisory-avisory-report-list/
- 根据个人产品的维护服务协议提供信息vwin官方网站
- Timing of provision of the YSAR
In principal, the Yokogawa Group will provide the information after it becomes ready to provide the remediation.However, it will consider offering information at the time it becomes ready to provide the workaround in a case where it is necessary to swiftly offer information to customers, such as cases where attacks exploiting the vulnerabilities have been already observed.


(*1) Organizations that accepts and publishes vulnerabilities information and that gives alert, such as JPCERT/CC, CERT/CC and ICS/CERT
(*2)//www.zhisiyu.com/solutions/vwin官方网站products-platforms/
(*3)发现新漏洞的发现者首先直接向供应商或证书组织私下披露,然后使供应商在漏洞信息披露之前准备对策。这意味着每个利益相关者都合作将产品用户获利为主要考虑因素。
Reference:https://blogs.technet.microsoft.com/msrc/2010/07/22/announcing-coordined-vulnerability-discluse/
(*4)一种评估系统,根据该系统在0.0至10.0的范围内指示漏洞的严重程度
Reference: Common Vulnerability Scoring Systemhttps://www.first.org/cvss/


Contact for Inquiries

For inquiries concerning the handling of vulnerabilities, please contact us at the following address.
https://contact.yokogawa.com/cs/gw?c-id=000498

Revision History

November 20, 2018: Established

Looking for more information on our people, technology and solutions?

Contact Us

Top