Vulnerability Disclosure Policy

In order to ensure a high level of product security and protect our customers against cyber attacks, Mitsubishi Electric discloses vulnerability information related to our products in accordance with “ISO/IEC 29147” and “Information Security Early Warning Partnership Guideline”*1 (Published by IPA).

*1Information Security Early Warning Partnership Guideline
https://www.ipa.go.jp/security/english/about_partnership.html

Reporting

We gather vulnerability information from external security researchers and coordinating bodies (The Computer Emergency Response Team “CERT” of each country etc.) to improve the information security quality of our products. If you believe one of our products has a potential, please contact one of these coordinating bodies or contact us directly using the report form on our website at the link below.

Vulnerability report form

https://www.mitsubishielectric.com/en/psirt/contact/index.html

After receiving the vulnerability information via the report form, we will reply within 5 business days. Please note that our reply will be a little late during Japan’s public holidays and Mitsubishi Electric own holidays, etc.

Mitsubishi Electric PSIRT (Product Security Incident Response Team) is the department responsible for handling vulnerability information related to Mitsubishi Electric products. Regarding vulnerability information of our website, such as mitsubishielectric.co.jp, mitsubishielectric.com, please contact MELCO-CSIRT*2. Please only use these guidelines for reporting issues with Mitsubishi Electric products. With regards to products other than those manufactured by Mitsubishi Electric, please contact the manufacturer of the respective product.

*2MELCO-CSIRT (in Japanese)
https://www.nca.gr.jp/member/melco-csirt.html

The report form is encrypted with SSL/TLS. After the reporter contacts us via the report form, we will communicate with the reporter by e-mail. If the e-mail and/or attachments contain sensitive information about undisclosed vulnerabilities, please encrypt the e-mail and/or attachments with our PGP public key to prevent unintentional disclosure. We will notify the reporter of the PGP public key individually in response to a submission.

Investigation and Countermeasures

The relevant product design and development department will investigate the vulnerability information the reporter provided, and if the following three conditions are met, it will be determined as a new vulnerability and we will immediately notify the result of the investigation to the reporter. We may request additional information as necessary.

Vulnerability criteria:

  1. Identifies a true product security issue.
  2. The vulnerability is able to be reproduced.
  3. The vulnerability is undisclosed.

Should a vulnerability be found, we will implement countermeasures and prepare to disclose a new vulnerability. If it is not a new vulnerability, we will close the investigation and notify the reporter of our conclusion.

Publication of Security Advisory

In order to enable our customers to take appropriate measures against new vulnerabilities in our products, we will prepare a security advisory to publish the vulnerability. We will coordinate the date of publication of the advisory with the reporter and other stakeholders as soon as the advisory is ready for publication, and publish it on our website below after a CVE number is assigned.

Vulnerability Information

https://www.mitsubishielectric.com/en/psirt/vulnerability/index.html

At the same time, we will report the vulnerability to Japan Computer Emergency Response Team Coordination Center “JPCERT/CC” and the CERT of each country as necessary. In accordance with the “Information Security Early Warning Partnership Guideline”, in principle, we will not disclose vulnerability information to third parties other than the reporter, coordinating body and product developer.

Acknowledgements to the people who have contributed to the discovery or resolution of the vulnerability in our products will be posted in the security advisory after agreement with those contributors. If multiple individuals or organizations report the same vulnerability, acknowledgments to the first reporter will be posted in the security advisory.