GE Logo
Security

How to Submit a Vulnerability

To submit a vulnerability to GE’s Product Security Incident Response Team (PSIRT), please fill the form at https://www.ge.com/security. Please do not include identifiable sensitive data (e.g. personal data, specific system configuration) within the body of the communication or any attachments (e.g. screenshots, images or log files).

We request the following when reporting a vulnerability:

  1. Please provide your report in English;

  2. Include specific information about affected products, including model or serial numbers, geographic location, software version, and the means of obtaining the product;

  3. If you have developed a proof-of-concept for exploiting the vulnerability, please include the code and explanation for the exploit;

  4. If you are aware of any incidents of this vulnerability being exploited on equipment in the field (e.g. a Grid Solutions’ customer was directly impacted by this vulnerability)

  5. Information on how you discovered the vulnerability, your thoughts on impact or CVSS scoring, and potential remediations will help us to triage the vulnerability more quickly

  6. Please include relevant information about yourself or the company/organization you are representing, or if you prefer to remain anonymous.

  7. Please let us know if you have a preferred method of contact during our internal triage process

  8. Please include your intentions for disclosing the vulnerability to us, or if you intend to disclose the vulnerability to the public

What you may expect from us:

  • We will acknowledge receipt of your message within 48 hours;

  • In the following phase of initial triage and assessments, an appropriate member of the GE PSIRT may reach out to you to:

      Request additional information, or

      Communicate an expected process and timeline, or

      Notify you that the report is either out of scope or will not be triaged for other reasons;

  • Once we have conducted our own assessment of the vulnerability, we will communicate our process and findings as a result of the investigation;

  • We will provide public recognition for the security researcher (if requested) and if the report results in a public disclosure

Where necessary, Grid Solutions may request a neutral third party to assist in resolution of the inquiry.

By submitting a request, you acknowledge that Grid Solutions may use in an unrestricted manner (and allow others to do the same) any data or information that you provide to Grid Solutions. Your submission does not grant you any rights under Grid Solutions intellectual property or create any obligations for Grid Solutions.