Product vulnerability disclosures and policy

We are prepared to work in good faith with individual researchers, ICS-CERT, security intelligence-gathering agencies, customers and field personnel who might discover and submit a vulnerability report on our products. Vulnerabilities can be reported on our Report an Issue page.

Eaton agrees not to pursue legal action against individuals who:

• Engage in testing/research of Eaton smart products without harming Eaton or its  customers.
• Engage in vulnerability testing within the scope of our vulnerability disclosure policy or receive prior permission/consent from Eaton.
• Test products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
• Adhere to the laws of their location and Eaton’s location.
• Submit vulnerability reports through our Report an issue process.
• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Acknowledgement and preliminary analysis

We follow an internal risk assessment process to accept and acknowledge the receipt of vulnerability information, do a preliminary analysis, and assign an initial rating to the vulnerability reported. For any externally reported vulnerability in third-party software libraries, we assign a risk rating using the CVSS v3 vulnerability scoring method as it applies to the affected Eaton product and its deployment context. Any vulnerability whose overall CVSS score is 7.0 and above or is deemed a High Security risk by the CCoE will get addressed on a priority basis.

Fix or mitigation

Vulnerabilities discovered on currently supported products are remediated by Eaton. The CCoE team works with the product team to get the vulnerability remediated as per the priority assigned. An approximate timeline to fix the issue is estimated and communicated to the vulnerability reporters (i.e., individual researchers, ICS-CERT or other agencies).  The CCoE team during this phase acts as the single point of contact for external entities and engages with the internal teams to get the vulnerability fixed and tested.  During this time, communication may be maintained with the reporting party as we work to resolve the issue.

Release of the fix

Eaton releases vulnerability remediation/fixes through the affected products’ standard distribution channel. The detailed technical information related to the fixes is released as an Eaton product security advisory.

Eaton prefers to engage with the vulnerability researchers to perform a coordinated disclosure and expects the vulnerability researchers to refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

Eaton security advisories

Public release of information relating to security vulnerabilities is on our Cybersecurity notifications page. This page is the central repository for Eaton product security advisories related to all Eaton electrical products. Customers are encouraged to monitor this portal for latest security advisories.

We intend to issue security advisories for validated vulnerabilities when a practical workaround or fix has been identified. There may be instances when an advisory is issued in the absence of a workaround. Because each security vulnerability is different, we may take alternative actions in connection with issuing security advisories. 

Eaton does not guarantee that security advisories will be issued for any or all security issues that customers may consider significant or that advisories will be issued on any specific timeline.

Reward and recognition

Eaton maintains a Hall of Recognition to duly recognize the contributions of security researchers who report product cybersecurity vulnerabilities in adherence to this policy: