Security gaps in software cannot be 100 % prevented. Therefore, it is important to inform users and administrators about these gaps in time so that they can take countermeasures before damage occurs. To make this work it is important to establish an appropriate management system, including a Product Security Incident Response Team (PSIRT) in the company.
Security Incident Management
Why is Incident Management necessary?
What is a Security Advisory?
A Security Advisory informs about an existing safety gap in one or our products and it typically includes:
- The description of the weakness,
- A criticality assessment of the weakness in the form of a CVSS* score,
- A list of the affected products including the version,
- Possible countermeasures and acknowledgement, if necessary, to those who informed us of the weakness.
*The CVSS (Common Vulnerability Scoring System) is an acknowledged standard procedure worldwide to assess the criticality of a weakness. Version 3.0 of the CSVV is currently available. CVSSv3 defines a score of 0-10. The lowest criticality is assessed with 0, the highest with 10.
Here are the current Security Advisories.
The Pilz Product Security Incident Response Team
The security experts in Pilz’s PSIRT analyse, assess and manage potential security weaknesses and security incidents relating to Pilz products and solutions. When a weakness is confirmed, Pilz publishes its PSIRT Security Advisories with notes on how to remedy this weakness.
We want to encourage security experts, independent researchers, customers and other parties to report any security problems in our products and solutions to us. This is the only way we can jointly discuss further activities, coordinate them and improve the security of our products and solutions. To prevent danger to our customers and uninvolved third parties, we ask for coordinated publication of weaknesses and inclusion of our PSIRT.
Pilz Incident Management Process
Please include the following information:
- Item number of the affected product
- Device and firmware (if available)
- Exploit or further data that help us reproduce the problem, if applicable
- A note as to whether the vulnerability has already been published (by you or someone else)
1. Analyse: Our PSIRT examines the reported weakness and if necessary, requests further information from the submitter. Please note that the examination can take from a few days to a few weeks, depending on the complexity of the weakness and the type of product. Nonetheless, we will give feedback to the submitter after 15 working days at the latest.
2. Define measures: Depending on the seriousness of the weakness and, if necessary, other boundary conditions, updates will be prepared. In case of a serious weakness, Pilz will prepare a Security Advisory. During the process, we will regularly inform the submitter about the status.
3. Publish: The finale Security Advisory and any related patches will be published here and will be available to download for every customer. To download, log in with your user name. If you do not yet have a profile, you can register here free of charge. Please note that patches may be released only in the context of the typical product release cycle, depending on the severity of a weakness.