VULNERABILITY AND INCIDENT RESPONSE

Coordinated vulnerability disclosure

Provides a pathway for the public (for example, security researchers, customers) to disclose vulnerabilities to GE Vernova and reduce the likelihood that an irresponsible disclosure (for example, security researcher reporting directly to the news) will be made. Providing a legitimate pathway for vulnerability disclosure provides an essential link between GE Vernova and the cybersecurity community.

To submit a vulnerability in a GE Vernova product to the GE Vernova Cybersecurity team, please send an email to [email protected], using the following GPG key to encrypt the report before sending it.  We actively encourage reports to be sent to us for remediation before a public disclosure, so that we can properly address any vulnerabilities.
 

We request the following when reporting a vulnerability:

  • Please provide your report in English
  • Include specific information about affected products—including model or serial numbers, geographic location, software version, and the means of obtaining the product
  • If you have developed a proof-of-concept for exploiting the vulnerability, please include the code and explanation for the exploit
  • If you are aware of any incidents of this vulnerability being exploited on equipment in the field (for example, a GE Vernova customer was directly impacted by this vulnerability)
  • Information on how you discovered the vulnerability, your thoughts on impact or CVSS scoring, and potential remediations will help us to triage the vulnerability more quickly
  • Please include relevant information about yourself or the company/organization you're representing, or if you'd prefer to remain anonymous
  • Please let us know if you have a preferred method of contact during our internal triage process
  • Please include your intentions for disclosing the vulnerability to us, or if you intend to disclose the vulnerability to the public

In response, you can expect the following from us:

  • Acknowledgement of receipt of your report within one business day
  • During our initial triage of the vulnerability, the GE Vernova Cybersecurity team may reach out to you to do one of the following:
    • Request additional information to your initial report
    • Communicate our expected triage process and timeline
    • Notify you that the report is either out of scope or will not be triaged for other reasons
  • Once we have conducted our own assessment of the vulnerability, we will communicate our process and findings as a result of the investigation
  • If requested, we will include the reporter’s name in our final report if it results in a public disclosure