Product Security Incident Response Team
Overview
The Industrial Scientific Product Security Incident Response Team (PSIRT) is a dedicated global team responsible for receiving, investigating, and reporting on security vulnerability information pertaining to Industrial Scientific devices, products, and networks.
Reporting
PSIRT offers a single point of contact and a uniform process for customers, partners, penetration testers, and security researchers to report security vulnerabilities discovered in Industrial Scientific devices, products, and networks. PSIRT encourages the external security community to disclose security issues privately and responsibly, thereby minimizing risks to customers and the brand.
Vulnerability Classification
We adhere to industry standards by utilizing common ratings of vulnerabilities through the Common Vulnerability Scoring System (CVSS) and Common Vulnerability Exposure (CVE), providing clarity on the severity of a specific vulnerability. Additionally, we implement the vulnerability management processes as described in the NIST Cybersecurity Framework and the Cloud Security Alliance (CSA).
Vulnerability triage stages are as follows:
PSIRT Services Framework
- Identify: Security issues are reported and verified against the general PSIRT intake process, submission guidelines, eligibility criteria, and program exclusions. Submissions that do not meet these criteria will be denied. For those that meet the requirements, the PSIRT team will acknowledge the submission and send confirmation.
- Triage: If the vulnerability cannot be reproduced or does not affect an Industrial Scientific product, the PSIRT team informs the reporter and closes the case. When a potential vulnerability is reproducible, the Industrial Scientific PSIRT proceeds with the remainder of the PSIRT process. The Industrial Scientific Priority Rating System is a guideline to help our customers in managed environments prioritize security updates. We base our priority rankings on historical attack patterns for the relevant product, the type of vulnerability, the platform(s) affected, and any potential mitigations that are in place.
Rating |
Definition |
Priority 1 | A vulnerability or other issue in production systems could lead to customer data exposure or other classified information such as source code. Examples: remote code execution, SQL injection, broken authentication/authorization process, etc. |
Priority 2 | A vulnerability or other issue in production systems that could lead to significant adverse effects like the Industrial Scientific system's unavailability. Example: denial of service |
Priority 3 | A vulnerability or other issue in production systems could lead to minor effects in the Industrial Scientific system. Examples: self XSS, information disclosure via error messages |
Priority 4 | A vulnerability or other issue in production systems that has no immediate effect on the Industrial Scientific system. Examples: disclosure of web server version, formula injection in CSV files |
- Triage: Industrial Scientific employs the most current versions of vulnerability ratings, such as the CVSS and CVE, to ensure adherence to best industry practices and shared understanding. CVSS scores range from 0 (lowest severity) to 10.0 (most critical severity). CVSS is broken down into three metric groups – Base, Temporal, and Environmental. Industrial Scientific only uses the Base Metrics to score vulnerabilities, which is referred to as the “Base Score.” Industrial Scientific only publishes the CVSS Base Score at this time.
Vulnerability triage stages are as follows:
CVSS Severity Categories |
CVSS Base Score |
CRITICAL | 9.0 - 10.0 |
HIGH | 7.0 - 8.9 |
MEDIUM | 4.0 - 6.9 |
LOW | 0.0 - 3.9 |
- Coordinate: Upon confirmation of a vulnerability, the PSIRT team initiates processes to engage with internal stakeholders, ensuring awareness and assistance during incidents
- Remediate: Remediation is prioritized based on CVSS scores, complexity, affected versions, likelihood of risk, and impact. A team is assigned, and an estimated timeline is communicated to the reporter, although this may change if further information is uncovered. The PSIRT team ensures appropriate communication is provided with justification and updated timelines.
- Notify: Remediation may be in the form of a new release, a security update, instructions to download and install an update or patch from a third party, or a workaround to mitigate the vulnerability. PSIRT publishes public vulnerability disclosures through Security Advisories once the NDA disclosure is complete. The advisories may include a summary of the vulnerability, details (including CVE identifier and CVSS information), affected products and versions, recommendations for customers, and acknowledgments to the reporter or coordinator, with permission, during public disclosure. PSIRT limits the details provided in advisories to ensure data protection.
Stakeholders Coordination
In support of coordinated disclosure, Industrial Scientific will collaborate with reporters acting in good faith. In support of coordinated disclosure, Industrial Scientific will collaborate with reporters acting in good faith.
- Improve: As part of the Fortive organization, Industrial Scientific is dedicated to providing top industry devices and products and following a secure development lifecycle with the Fortive Business System at its core. This drives growth and innovation, ensures the safety of lifesaving products and technologies, and scales success through continuous improvement. The team has robust tracking and internal communication mechanisms to deliver secure solutions alongside the PSIRT team.
All aspects of the Industrial Scientific PSIRT process and policies are subject to change without notice and are evaluated on a case-by-case basis. There is no guaranteed response for any specific issue or class of vulnerabilities. Industrial Scientific reserves the right to modify or update this document without notice at any time.
Submission Guidelines
Your submission will be reviewed and validated by a PSIRT member.
Submit a Vulnerability by using the form below.
- If the same vulnerability is found on multiple hosts associated with the same asset/domain, please include all vulnerable hosts in a single report. DNS-related vulnerabilities (e.g. subdomain takeover) are an exception and should be reported uniquely.
- When duplicates occur, we consider the first report that was received to be treated as unique, and subsequent reports will be marked as a duplicate
DO NOT use social engineering (e.g. phishing, vishing, smishing) techniques.
DO NOT cause a potential or actual denial of service of Industrial Scientific applications and systems.
DO NOT use an exploit to view data without authorization or cause corruption of data.
DO make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Submission Requirements
The Industrial Scientific PSIRT team reserves the right to decline vulnerability at any time or stage if it does not meet the requirements below, and appropriate communication will be sent directly to the appropriate reporter.
-
Submission guidelines are met.
- Program exclusions are not violated.
- Ineligible participants guidelines are met.