Wurldtech Security Technologies is committed to maintaining the highest level of confidentiality and respect for the additional privacy needs of the automation industry, due to the sensitive nature of the vulnerabilities, and the significant gap between newly discovered device vulnerabilities and fixes (when possible) or workarounds being widely deployed by industry.

This policy outlines how Wurldtech handles responsible vulnerability disclosure to our customers, product vendors, asset owners, security vendors and the general public.

Wurldtech will honor all commitments to our customers, including non-disclosure agreements and other restrictions on information with our clients, and will not disclose information covered under these commitments without explicit customer approval. However, Wurldtech will ceaselessly work with our customers to seek such approval whenever possible.

Wurldtech will responsibly and promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s). All notifications will be made via appropriately secure methods of communication.

Wurldtech will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Wurldtech will offer to work with that vendor to define effective workarounds.

Wurldtech will also work with the vendor to inform both US-CERT and CERT/CC coordination centers of the identified vulnerability, once a vendor patch or vendor approved mitigation scheme has been made publicly available.

Before public disclosure of any vulnerability, Wurldtech may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base. Such a security vendor must show they are able to provide security protection for vulnerabilities, while at the same time not revealing the technical vulnerability details in their product updates.

In no case will Wurldtech publicly disclose any vulnerability. Instead, we will rely on the US-CERT and CERT/CC co-ordination centers to balance the interests of the vendors, asset owners, and other stakeholders in determining when to publicly disclose.