Once a mitigation is available, Schneider Electric will prepare and release a security notification. General security notifications are published on the Schneider Electric corporate website on the second Tuesday of each month, unless the notification is limited to a specific group of customers, in which case customers may be contacted directly to support remediation.
During the disclosure phase, Schneider Electric assigns a Common Vulnerabilities and Exposures or CVE number (Schneider Electric is a CVE Numbering Authority in association with MITRE). With the consent of the reporting entity, Schneider Electric will acknowledge the researcher for their discovery in our security notification.
Reporting entities are required to adhere to this policy in order to provide our customers the time they need to protect their installations and operations through defined mitigation strategies. Schneider Electric reserves the right to withhold acknowledgment at its sole discretion in the event of an uncoordinated disclosure or if a reporting entity fails to support Schneider Electric or adhere to this policy.
For reports regarding products that are no longer supported, Schneider Electric will evaluate CVE assignment and discovery acknowledgment on a case-by-case basis.
Each security notification will also contain:
• Overall description of the vulnerability including CVSS score, impact of the vulnerability if exploited, and CVE (if applicable).
• Identification of products and versions affected.
• Patches or mitigating actions to reduce the risk of exploit, including patch download instructions where applicable. Schneider Electric always encourages customers to take advantage of these updates and/or instructions and patch their installations appropriately.