Coordinated Vulnerability Disclosure

To provide a pathway for the public (e.g., security researchers, customers) to disclose vulnerabilities to GE Power and reduce the likelihood that an irresponsible disclosure (e.g., security researcher reporting directly to the news) will be made. Providing a legitimate pathway for vulnerability disclosure provides an essential link between GE and the cybersecurity community.

To submit a vulnerability in a GE Gas Power product to the GE Gas Power Cybersecurity team, please send an email to [email protected], utilizing the following GPG key to encrypt the report prior to sending it.  We actively encourage reports to be sent to us for remediation prior to a public disclosure, so that we can properly address any vulnerabilities.

We request the following when reporting a vulnerability:

  • Please provide your report in English
  • Include specific information about affected products, including model or serial numbers, geographic location, software version, and the means of obtaining the product
  • If you have developed a proof-of-concept for exploiting the vulnerability, please include the code and explanation for the exploit
  • If you are aware of any incidents of this vulnerability being exploited on equipment in the field (e.g. a GE Gas Power customer was directly impacted by this vulnerability)
  • Information on how you discovered the vulnerability, your thoughts on impact or CVSS scoring, and potential remediations will help us to triage the vulnerability more quickly
  • Please include relevant information about yourself or the company/organization you're representing, or if you'd prefer to remain anonymous
  • Please let us know if you have a preferred method of contact during our internal triage process
  • Please include your intentions for disclosing the vulnerability to us, or if you intend to disclose the vulnerability to the public

In response, you can expect the following from us:

  • Acknowledgement of receipt of your report within 48 hours
  • During our initial triage of the vulnerability, the GE Gas Power Cybersecurity team may reach out to you to do one of the following:
    • Request additional information to your initial report
    • Communicate our expected triage process and timeline
    • Notify you that the report is either out of scope or will not be triaged for other reasons
  • Once we have conducted our own assessment of the vulnerability, we will communicate our process and findings as a result of the investigation
  • If requested, we will include the reporter’s name in our final report if it results in a public disclosure