Purpose of the Policy
The Yokogawa Group expresses its sincerest gratitude to stakeholders for collaboration in mitigating the risk of vulnerabilities, that are weakness to cyberattacks, with a view to ensuring the security of customers’ assets.
The Yokogawa Group shall work to support ensuring the safety of our customers' assets with the recognition that continuous risk assessment and taking measures to cyber-threats are one of the most important tasks for customers’ asset management.
1. Acceptance of information
The Yokogawa Group accepts information on vulnerabilities of our products from any party. Normally, the Group will contact the reporter regarding acceptance of the vulnerability information within one or two business days. The Group may ask for additional information.
Please report vulnerability information from the following:
Based on the concept of Coordinated Vulnerability Disclosure (CVD)(*3), the Yokogawa Group request to the reporter to report discovered vulnerabilities to the Yokogawa Group or CERT organizations in advance of disclosure.
2. Investigation of vulnerabilities
The Yokogawa Group will investigate products that will be affected by vulnerabilities, The Group will share the results with the reporter. It will rate the level of severity of the vulnerabilities under the Common Vulnerability Scoring System (CVSS)(*4).
3. Preparations for countermeasures
- Remediation: Patch, fix, upgrade and suchlike to either remove or mitigate a vulnerability
- Workaround: Actions and others aimed at reducing impacts of attacks that exploit vulnerabilities
4. Information offering
The Yokogawa Group will provide customers with the Yokogawa Security Advisory Report (YSAR), which includes information on vulnerabilities. Before doing so, it will coordinate the YSAR’s content and the timing of its provision with the reporter and with CERT organizations.
- Content of the YSAR
The YSAR will include the following information.
- Descriptions of vulnerabilities
- Level of severity (rated under the CVSS)
- Details of countermeasures
- Information about the reporter (if the reporter agrees)
The Yokogawa Group will provide the YSAR in the following manners.
- Disclosure on the Yokogawa Group website
- Timing of provision of the YSAR
In principal, the Yokogawa Group will provide the information after it becomes ready to provide the remediation.However, it will consider offering information at the time it becomes ready to provide the workaround in a case where it is necessary to swiftly offer information to customers, such as cases where attacks exploiting the vulnerabilities have been already observed.
(*1) Organizations that accepts and publishes vulnerabilities information and that gives alert, such as JPCERT/CC, CERT/CC and ICS/CERT
Reference: Common Vulnerability Scoring Systemhttps://www.first.org/cvss/
Contact for Inquiries
For inquiries concerning the handling of vulnerabilities, please contact us at the following address.
November 20, 2018: Established
Looking for more information on our people, technology and solutions?Contact Us