Security Vulnerability Reporting
Mitsubishi Electric Iconics Digital Solutions (MEIDS) strives to build products that our customers trust in critical operations in their enterprises. We recognize that our products need to meet the highest standards for security, otherwise customers will not be able to deploy them with confidence. This page documents our Security Response Policy and our commitment to resolving possible vulnerabilities in our products so that our customers can be assured that any such issues will be addressed in a timely fashion.
How to Report a Vulnerability
If you believe you have discovered a security vulnerability in a product, we encourage you to either:
Send an Email
Send an email to secure@iconics.com. Please include details on the product, product version, configuration, and steps to reproduce if possible so that we can duplicate the issue being reported. We encourage the use of encryption using our public PGP key which can be downloaded here.
We value the members of the independent security research community who find security vulnerabilities and work with us so that security fixes can be issued to all customers. Our policy is to credit all researchers in the Mitsubishi Electric Iconics Digital Solutions Whitepaper on Security Vulnerabilities when a fix for the reported security bug is issued. In order to receive credit, security researchers need to follow responsible disclosure practices, including:
- They do not publish the vulnerability prior to Mitsubishi Electric Iconics Digital Solutions releasing a fix for it
- They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code
In the case of vulnerabilities found in third-party software components used in MEIDS products, please also notify us as described above.
Our Response to Reported Vulnerabilities in Its Products
We receive private reports on potential security vulnerabilities via email and through its website where reporters can privately enter and submit information on the vulnerabilities. After receipt of a report of a vulnerability, we will triage the report and determine which products are affected and what the severity of the vulnerability is. We will then provide feedback to the reporter of the vulnerability and work with them to address the issue.
In the event of a public report where there is no available fix, we will acknowledge the report by publishing an update to the MEIDS Whitepaper on Security Vulnerabilities. This information will include references to the public sources reporting the vulnerability. Whenever possible, it will include steps users can take to protect their Mitsubishi Electric Iconics Digital Solutions system from exploitation of the vulnerability.
A fix or a correction action may take one or more of the following forms:
- A new version release
- A new maintenance (Critical Fix Rollup) release for a prior released version
- A patch that can be installed on top of the affected product
- Instructions to download and install an update or patch for a third-party software component that is part of the our product installation
- A corrective procedure or workaround that instructs users in adjusting the Mitsubishi Electric Iconics Digital Solutions product configuration to mitigate the vulnerability.
When a fix or corrective action for a vulnerability becomes available, we will notify its customers by the following means:
- The Whitepaper on Security Vulnerabilities is updated and posted. It details the security vulnerability and provides a reference to the software updates, as appropriate, to address the vulnerability. The Mitsubishi Electric Iconics Digital Solutions Security Vulnerability Whitepaper is posted at https://iconics.com/cert.
- We will send an email to users who have registered to receive them when there has been an update to the Whitepaper on Security Vulnerabilities.
- In the case of highly severe security vulnerabilities, we work with US-CERT on having an ICS-CERT advisory issued on such vulnerabilities at the time a fix or correction becomes available.