Product vulnerability disclosure policy

We are prepared to work in good faith with individual researchers, ICS-CERT, security intelligence-gathering agencies, customers and field personnel who might discover and submit a vulnerability report on our products. Vulnerabilities can be reported on our Report an Issue page.

Eaton agrees not to pursue legal action against individuals who:

• Engage in testing/research of Eaton smart products without harming Eaton or its  customers.
• Engage in vulnerability testing within the scope of our vulnerability disclosure policy or receive prior permission/consent from Eaton.
• Test products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing of their devices/software, etc.
• Adhere to the laws of their location and Eaton’s location.
• Submit vulnerability reports through our Report an issue process.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon time-frame expires.

Acknowledgement and preliminary analysis

We follow an internal risk assessment process to accept and acknowledge the receipt of vulnerability information, do a preliminary analysis, and assign an initial rating to the vulnerability reported. For any externally reported vulnerability in third-party software libraries, we assign a risk rating using the CVSS v3 vulnerability scoring method as it applies to the affected Eaton product and its deployment context. Any vulnerability with an overall CVSS score of 7.0 and above, or which is deemed a High Security risk by the CCoE, will be addressed on a priority basis.

Fix or mitigation

Vulnerabilities discovered on currently supported products are remediated by Eaton. The CCoE team works with the product team to have the vulnerability remediated as per the priority assigned. An approximate timeline to fix the issue is estimated and communicated to the vulnerability reporters (i.e., individual researchers, ICS-CERT or other agencies).  During this phase, the CCoE team acts as the single point of contact for external entities and engages with the internal teams to have the vulnerability fixed and tested.  During this time, communication may be maintained with the reporting party as we work to resolve the issue.

Release of the fix

Eaton releases vulnerability remediation/fixes through the affected products’ standard distribution channel. The detailed technical information related to the fixes is released as an Eaton product security advisory.

Eaton prefers to engage with the vulnerability researchers to perform a coordinated disclosure and expects them to refrain from disclosing vulnerability details to the public before a mutually agreed-upon time-frame expires.

Eaton security advisories

The public release of information relating to security vulnerabilities takes place on our Cybersecurity notifications page. This page is the central repository for Eaton product security advisories related to all Eaton electrical products. Customers are encouraged to monitor this portal for latest security advisories.

We intend to issue security advisories for validated vulnerabilities when a practical workaround or fix has been identified. There may be instances when an advisory is issued in the absence of a workaround. Because each security vulnerability is different, we may take alternative actions in connection with issuing security advisories. 

Eaton does not guarantee that security advisories will be issued for any or all security issues that customers may consider significant, or that advisories will be issued on any specific timeline.

Reward and recognition

Eaton maintains a Hall of Recognition to duly recognise the contributions of security researchers who report product cybersecurity vulnerabilities in adherence to this policy.