Introduction

Arxscan is committed to ensuring that our products are safe and secure for our customers. Recognizing the importance of cybersecurity in Arxscan products and solutions, we are prepared to work in good faith with individual researchers, ICS-CERT, security intelligence-gathering agencies, customers and field personnel who might discover and submit a vulnerability report on our products. Vulnerabilities can be reported on our Report an Issue page.

This policy sets out our definition of good faith in the context of finding and reporting security vulnerabilities, as well as what you can expect from us in return for your effort, skill, and dedication.

Guidelines

We require that all security researchers to:

If you follow these guidelines when reporting an issue to us, we commit to:

Expectations

When working with us according to this policy, you can expect us to:

Acknowledgement and preliminary analysis

We follow an internal risk assessment process to accept and acknowledge the receipt of vulnerability information, do a preliminary analysis, and assign an initial rating to the vulnerability reported. For any externally reported vulnerability in third-party software libraries, we assign a risk rating using the CVSS v3 vulnerability scoring method as it applies to the affected Arxscan product and its deployment context. Any vulnerability with an overall CVSS score of 7.0 and above or is deemed a High Security risk by Arxscan will get addressed on a priority basis.

Fix or mitigation

Vulnerabilities discovered on currently supported products are remediated by Arxscan. The Arxscan team works to get the vulnerability remediated as per the priority assigned. An approximate timeline to fix the issue is estimated and communicated to the vulnerability reporters (i.e., individual researchers, ICS-CERT or other agencies). The Arxscan team during this phase acts as the single point of contact for external entities and engages with the internal teams to get the vulnerability fixed and tested. During this time, communication may be maintained with the reporting party as we work to resolve the issue.

Release of the fix

Arxscan releases vulnerability remediation/fixes through the affected products’ standard distribution channel. The detailed technical information related to the fixes is released as an Arxscan product security advisory.

Arxscan prefers to engage with the vulnerability researchers to perform a coordinated disclosure and expects the vulnerability researchers to refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Arxscan security advisories

Public release of information relating to security vulnerabilities is on our Cybersecurity notifications page. This page is the central repository for Eaton product security advisories related to all Eaton electrical products. Customers are encouraged to monitor this portal for latest security advisories.

We intend to issue security advisories for validated vulnerabilities when a practical workaround or fix has been identified. There may be instances when an advisory is issued in the absence of a workaround. Because each security vulnerability is different, we may take alternative actions in connection with issuing security advisories.

Arxscan does not guarantee that security advisories will be issued for any or all security issues that customers may consider significant or that advisories will be issued on any specific timeline.

Note: Arxscan reserves the right to modify this policy at any time, in its sole discretion.

Recognition

Arxscan maintains posts credit to duly recognize the contributions of security researchers who report product cybersecurity vulnerabilities in adherence to this policy:

2024

Contributor Organization Vulnerability Notification
Keith Cox RedBot Security Cross-Site Scripting Pending