What is a Security or Safety Vulnerability?

A security vulnerability is an unexpected flaw within an OpenSynergy software product that can be exploited to perform unauthorized actions. Unauthorized actions include unauthorized access to information or unauthorized modification of information.

OpenSynergy’s software products are designed and developed to be safe for their intended use. While typical safety risks are not applicable to our software products, we recognize that cybersecurity vulnerabilities may introduce uncertainties that could indirectly affect safety.

Therefore, we consider safety through the lens of cybersecurity, assessing how security vulnerabilities might impact the safe operation of our products.

Our product documentation provides relevant safety and security information, including instructions for safe use.

OpenSynergy’s Commitment

Our mission is to provide products to our customers that are secure, safe, and fit for purpose. OpenSynergy takes great care in the design and development of its software products to avoid that the released products are subject to security or safety vulnerabilities.

Nevertheless, such vulnerabilities might be present in released products and might come to our attention during internal analysis or from reports that we occasionally receive from our customers, our partners, or independent research institutes.

We encourage all third parties to report security or safety vulnerabilities directly to us following the process outlined in the section “Reporting a Security or Safety Vulnerability.” We value every report communicated to us by customers, partners, or third parties. We will assign the submitted report a tracking number and respond within four working days to acknowledge receipt of the report. We will evaluate the contents of the report and outline the next steps in the process. We are committed to being responsive and keeping reporters informed of our progress as we investigate and mitigate the reported security or safety concern.

When it comes to disclosing security or safety vulnerabilities, OpenSynergy is committed to following the Responsible Disclosure approach. This process has two steps: a confidential stage allowing our customers to understand and address the issue and a delayed public disclosure.

As soon as the security or safety vulnerability has been analyzed and the risk has been identified, we will inform the supported customers of the affected products (directly or via our distributors) disclosing the nature of the vulnerability, the potential security or safety risks, and available work-arounds or mitigations. This confidential stage must have a reasonable duration to enable our customers to take appropriate measures to reduce the impact of the detected flaw on the security and safety of the public.

If any risks are identified, they are mitigated to a level considered safe before continued product use or distribution.

In the public stage, the vulnerability will be publicly disclosed and will be included in our “List of Vulnerabilities.” To support the Responsible Disclosure approach, we request reporters of vulnerabilities to coordinate their disclosure plans (if any) closely with us: ideally, our public disclosures should be simultaneous.

Reporting a Security or Safety Vulnerability

If you suspect a security or safety vulnerability or have any concerns impacting safety, please contact the OpenSynergy Security and Safety Team by sending an email to psec@opensynergy.com including the following information:

• Your name, contact information, and affiliation (customer, partner, independent research institute, …)
• A description of the vulnerability and the environment in which it was discovered
• Detailed steps to reproduce the vulnerability
• The name, version, and configuration details of the affected product
• Any specific plans (e.g., disclosure) or expectations you have around the reported vulnerability