We are prepared to work in good faith with individual researchers, ICS-CERT, security intelligence-gathering agencies, customers and field personnel who might discover and submit a vulnerability report on our products. Vulnerabilities can be reported on our Report an Issue page.
Eaton agrees not to pursue legal action against individuals who:
We follow an internal risk assessment process to accept and acknowledge the receipt of vulnerability information, do a preliminary analysis, and assign an initial rating to the vulnerability reported. For any externally reported vulnerability in third-party software libraries, we assign a risk rating using the CVSS v3 vulnerability scoring method as it applies to the affected Eaton product and its deployment context. Any vulnerability whose overall CVSS score is 7.0 and above or is deemed a High Security risk by the CCoE will get addressed on a priority basis.
Vulnerabilities discovered on currently supported products are remediated by Eaton. The CCoE team works with the product team to get the vulnerability remediated as per the priority assigned. An approximate timeline to fix the issue is estimated and communicated to the vulnerability reporters (i.e., individual researchers, ICS-CERT or other agencies). The CCoE team during this phase acts as the single point of contact for external entities and engages with the internal teams to get the vulnerability fixed and tested. During this time, communication may be maintained with the reporting party as we work to resolve the issue.
Eaton releases vulnerability remediation/fixes through the affected products’ standard distribution channel. The detailed technical information related to the fixes is released as an Eaton product security advisory.
Eaton prefers to engage with the vulnerability researchers to perform a coordinated disclosure and expects the vulnerability researchers to refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Public release of information relating to security vulnerabilities is on our Cybersecurity notifications page. This page is the central repository for Eaton product security advisories related to all Eaton electrical products. Customers are encouraged to monitor this portal for latest security advisories.
We intend to issue security advisories for validated vulnerabilities when a practical workaround or fix has been identified. There may be instances when an advisory is issued in the absence of a workaround. Because each security vulnerability is different, we may take alternative actions in connection with issuing security advisories.
Eaton does not guarantee that security advisories will be issued for any or all security issues that customers may consider significant or that advisories will be issued on any specific timeline.
Eaton maintains a Hall of Recognition to duly recognize the contributions of security researchers who report product cybersecurity vulnerabilities in adherence to this policy.