HOME > Products > Product Cyber Security Initiatives > Product Vulnerability Handling and Disclosure Policy

Product Vulnerability Handling and Disclosure Policy

1. Purpose of this policy

Azbil Corporation establishes this policy with the aim of reducing the risk of cyber threats to our customers’ assets and ensuring their safety. The policy is intended to ensure the appropriate and prompt resolution of vulnerabilities in the Azbil products and cloud services.

2. Vulnerability handling process

Our vulnerability handling process consists of the following four steps.

2.1 Vulnerability reporting reception

We accept information regarding vulnerabilities in our products. Upon receiving the reported information, we will collaborate with relevant business units and coordinating organizations (such as JPCERT/CC and overseas CERTs) to promptly consider countermeasures.

Initial response

After confirming the receipt of information related to vulnerabilities, we will contact you within 5 business days to acknowledge receipt. Please note that responses may be delayed during holiday periods such as the year-end and New Year holidays, Golden Week, and summer vacations.

Reporting contact

Please report vulnerability information to the following Azbil product vulnerability reporting contact:
Vulnerability Reporting Form for Azbil Products

Important note for reporting
This contact is for vulnerability reports only. For products not manufactured by us, please contact the respective manufacturers.

2.2 Vulnerability analysis and assessment

We determine whether the reported vulnerability is a “new vulnerability” based on the following confirmation criteria:

  • Does it have the potential to impact the security of our products (could it adversely affect confidentiality, integrity, or availability)?
  • Can it be reproduced (is it possible to replicate the occurrence with our products)?
  • Is it unpublished information (has it not been disclosed by public agencies, other companies, or external databases)?

If it is determined to be a new vulnerability, we will assess its severity using metrics such as the CVSS (Common Vulnerability Scoring System) score and prioritize countermeasures accordingly.

2.3 Countermeasures for vulnerabilities

Based on the severity of the vulnerability, we will implement fundamental countermeasures such as patches and upgrades. Additionally, depending on the nature of the vulnerability, we may provide guidance on workarounds or temporary mitigations (specific methods to reduce the impact of the vulnerability).

2.4 Provision of vulnerability information

We will provide vulnerability information to our customers through an Azbil Group ADVisory (AGADV). The timing and content of the publication will be determined in consultation with the reporter and relevant organizations, based on the principles of Coordinated Vulnerability Disclosure (CVD), and we will ensure that users are informed at an appropriate time. Vulnerability information that has reached its publication date will be disclosed to users through individual notifications via sales contacts based on product purchase information, as well as through the Azbil website (link provided below) and external organizations.
Vulnerability Information for Azbil Products

3. Other matters

We will continuously review our initiatives based on this policy and strive to manage vulnerabilities more effectively and respond promptly. This policy may be revised without prior notice. Any revisions will be announced on our website and other platforms.

Revision history:

Established: March 31, 2025