Vulnerability Disclosure Policy
FANUC (hereinafter referred to as “we,” “our” or “us”) has established the PSIRT (Product Security Incident Response Team) to address vulnerabilities related to our products in order to ensure the security of our products and their safe use. In accordance with “ISO/IEC 29147¹,” we disclose vulnerability information in order to appropriately provide countermeasures against vulnerabilities and contribute to reducing security risks to our customers.
In the sections below, we describe the following two matters together with an overview of our vulnerability response process:
- Method of reporting vulnerabilities related to our products
- Method of providing security advisories related to our products
- ¹ ISO/IEC 29147 - Vulnerability disclosure
Vulnerability Response Process Related to Our Products
Receipt of Vulnerability Information
If you detect any vulnerability in our products, please contact us using the web form link below. We will notify you of receipt generally within 2 business days.
When you contact us, we would appreciate your cooperation by kindly providing us with the following information as well:
- Product name and version in which the vulnerability has been detected;
- Details of the vulnerability;
- Method of verifying the vulnerability; and
- Potential threats and impacts.
The information provided by you regarding a vulnerability in a product will be investigated promptly by our relevant departments. We may ask you for additional information as needed.
Based on the information provided by you, we will first verify the reproducibility of the vulnerability and the existence of impact on the product. If we determine as a result of the investigation that there is no impact on the product, we will inform you of such result and conclude our response.
If it is confirmed that there is an impact on our product, we will further investigate and analyze the root cause of the vulnerability and the scale of its impact. The status of the investigation will be shared with you as appropriate.
Based on the result of investigation of the cause of the product vulnerability and its impact, we will prepare for implementation of countermeasures against such vulnerability and information disclosure². Such countermeasures may include distribution of a software update or providing workarounds.
- ² The period necessary for such preparation for implementation of countermeasures and information disclosure may vary depending on the level of the vulnerability risk, the scale of its impact and other related factors.
Disclosure of Vulnerability Information
As soon as we are ready to implement countermeasures against any vulnerabilities and disclose information, we will publish a security advisory containing the details of such vulnerabilities and countermeasures on the web page link below³:
- ³ We may provide such information in a technical report issued by us or by individually contacting customers, etc.
When disclosing vulnerability information, we will coordinate with relevant internal and external organizations, including you and the coordinating institutions, on the release date.
- 2023-07-06 Newly released.