Wärtsilä Vulnerability Disclosure Policy
Wärtsilä accepts vulnerability reports related to our solutions. Wärtsilä hopes to develop and maintain an open partnership with the security community. Wärtsilä recognises that the work the community does is important in
continuing to ensure safety and security of our customers.
We have developed this policy to both reflect our corporate values and to uphold our responsibility to security researchers that are providing us with their expertise.
Vulnerability disclosure scope and guidelines
Wärtsilä’s vulnerability disclosure program covers the following:
- Wärtsilä products & solutions
- Wärtsilä public web site
- Wärtsilä customer digital channels
We ask that all security researchers submit vulnerability reports only for the stated scope.
We do not permit anyone to perform any activity that could potentially cause harm to Wärtsilä or to our customers. If vulnerabilities are discovered, it is not allowed to pivot into to the internal network, access any confidential data or cause
harm to vulnerable systems.
Out of scope:
- Any vulnerability obtained through the compromise of a Wärtsilä customer or employee account
- Customer assets not supplied by Wärtsilä
- Attacks against the integrity of Wärtsilä customers
- Vulnerabilities discoverable through automated scans which have not been verified manually
We openly accept vulnerability reports for stated scope of the vulnerability disclosure policy. We agree not to pursue legal action against individuals who:
- Engage in good faith testing of systems/research without harming Wärtsilä or its customers
- Engage in vulnerability testing within the scope of our vulnerability disclosure program
- Test on solutions without affecting customers
- Refrain from disclosing vulnerability details to the public before it is fixed or a mutually agreed upon timeframe expires
This policy does not provide consent to any unauthorised penetration of Wärtsilä or customer systems, or breach of applicable laws or contractual obligations.
Preference, prioritisation, and acceptance criteria
We will use the following criteria to prioritise and triage submissions:
- Well-written reports in English will have a higher chance of resolution
- Reports that include proof-of-concept code help us to evaluate the situation
- Reports that include only crash dumps or other automated tool output may receive lower priority
- Reports that include solutions not on the scope list may receive lower priority
- Please include how you found the bug, the impact, and any potential remediation
- Please include any plans or intentions for public disclosure
Researchers must not:
- Send unsolicited electronic mail to Wärtsilä users, including “phishing” messages
- Engage in physical testing of facilities or resources
- Engage in social engineering
- Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks, against Wärtsilä or our suppliers
- Introduce malicious software
- Test in a manner which could degrade the operation of Wärtsilä systems; or intentionally impair, disrupt, or disable Wärtsilä systems
- Test third-party applications, websites, or services that integrate with or link to or from Wärtsilä systems
- Delete, alter, share, retain, or destroy Wärtsilä data, or render Wärtsilä data inaccessible, or
- Use an exploit to exfiltrate data, establish command line access or to establish a persistent presence on Wärtsilä systems.
Clarity of program
- Wärtsilä recognises the value and contribution of the security community to our company purpose: Enabling sustainable societies with smart technology. To this end we warmly welcome the opportunity to collaborate with community members in creating a more secure world.
- This program does not provide monetary rewards.
What you can expect from us:
- A timely response to your email
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline
as well as on issues or challenges that may extend it
- An open dialog to discuss issues
- Notification when the vulnerability analysis has completed each stage of our review
If we are unable to resolve communication issues or other problems, Wärtsilä may bring in a neutral third party to assist in determining how best to handle the vulnerability.