Security Vulnerability Management

Security Vulnerability Management

overview

The Product Network Security Process Team (PNSPT) of Morita Electric Co., Ltd. is dedicated to addressing security vulnerabilities in Morita Electric products. Unlike quality defects, these vulnerabilities only cause damage when exploited by an attacker. PNSPT manages security issues based on relevant standards, reduces vulnerabilities, and is committed to providing timely risk mitigation measures to minimize damage to customers.

Vulnerability Submission

• We encourage reports from security officers, organizations, customers, and suppliers.
• To report, please send an email to info＠mrt-electric.com including a product overview, product model, software version, and your contact information.
• We will maintain the confidentiality of such information until a solution is provided.

Vulnerability Handling Process

1. Vulnerability Intake
   After receiving a vulnerability report, we will analyze it and respond to the customer within 5 days.
2. Vulnerability Assessment
   Security engineers analyze the severity of the vulnerability and identify the scope of impact and potential consequences.
3. Vulnerability Verification and Remediation
   The technical validity of the vulnerability is verified, and security engineers will develop and implement a remediation plan or risk mitigation measures within 30 days.
   We will collaborate with vendors to fix vulnerabilities as necessary.
4. Vulnerability Disclosure and Notification
   After the vulnerability is fixed, relevant information will be published on the disclosure page. Security updates will be fully delivered to affected devices within 60 days. Until measures are established, please strive to protect data and maintain confidentiality. Please comply with laws and regulations and protect acquired data. In accordance with this policy, we will not pursue legal responsibility against those who report vulnerabilities in good faith and in a lawful manner.

Vulnerability Rating Criteria

High / Critical

1. Vulnerabilities involving unauthorized privilege escalation or remote command execution exist, allowing full remote control over a single or multiple devices in a public network environment. Attackers can obtain high-level privileges on the device without physical contact, and the impact is widespread.
2. Control system vulnerabilities exist that can be exploited in bulk remotely, allowing high-privilege operations to be executed simultaneously on many devices from outside the LAN. These vulnerabilities meet the conditions for large-scale attacks and could trigger extensive security incidents.
3. Vulnerabilities exist in devices or management systems where sensitive information is leaked, and such leakage may directly cause widespread security incidents. Examples: Leakage of critical information such as encryption keys (private keys), certificates, or administrator passwords.
4. Remotely triggerable Denial of Service (DoS) vulnerabilities exist, which could cause many devices to stop functioning or become unavailable simultaneously. This has a serious impact on business continuity.
5. Core security mechanisms of the device may be bypassed, allowing an attacker to gain persistent control. This includes disabling the boot chain, upgrade mechanisms, or privilege separation.

Medium

1. Vulnerabilities involving unauthorized privilege escalation or command execution exist, allowing remote control of a single device or device control within a LAN. The attack scope is limited to the network boundary, but it has practical exploit value.
2. General privilege escalation issues or vulnerabilities that allow only limited commands to be executed. Attackers can expand operation privileges under certain conditions, but direct control of all functions is difficult.
3. Information leakage vulnerabilities exist, where the leaked content could cause minor security incidents. Examples: Leakage of partial configuration files, execution logs, or non-core account information.
4. Denial of Service (DoS) vulnerabilities exist that can be exploited on a small scale, potentially causing service interruptions for some equipment. The impact is limited to a local environment or a small number of devices.
5. Exploiting the vulnerability requires certain preconditions (e.g., logged-in account, specific network environment, physical contact), but it may have a substantial impact on device security.

Low

1. Denial of Service vulnerabilities exist that affect only a single device and do not impact other devices or overall business operations. The attack effect is limited, and recovery costs are low.
2. Information leakage issues exist, but the leaked content itself is insufficient to directly cause a security incident. It appears only as a potential security risk or design flaw.
3. Deficiencies in privilege or access control exist, but direct unauthorized privilege escalation or execution of sensitive operations is impossible.
4. Security flaws exist that only occur under specific restricted conditions, and the impact on the actual environment is small.
5. The difficulty of exploiting the vulnerability is high, and the impact on device confidentiality, integrity, or availability is low.

None / Informational

1. Issues related only to security hardening recommendations or configuration optimizations that do not constitute an actual security risk.
2. Leaked information is public information or content with no security value, and does not affect system security.
3. Theoretically, a vulnerability might exist, but it cannot be exploited under the current hardware architecture or deployment environment.
4. False positives from automated tools where human analysis has confirmed that no security risk exists.
5. Cautionary issues that do not affect device control, data security, or business continuity.