PTC Coordinated Vulnerability Disclosure Reporting (v1.0)

PTC values security research

Safety & security are incredibly important to PTC and to the ecosystems we serve. As we see greater convergence of physical and digital systems, we all carry a shared responsibility to develop and maintain more secure, defensible, and resilient systems. PTC is committed to doing our part through robust security programs and initiatives. As an extension to our own efforts, PTC wishes to team with willing allies acting in good faith. As such, PTC welcomes the invaluable contributions offered by security researchers. To ensure a smooth and streamlined process, we are introducing our Coordinated Vulnerability Disclosure Program.

Initial Scope

For the initial scope, this pilot will focus on ThingWorx branded products to ensure our full attention to areas where vulnerabilities could potentially affect industrial and safety critical environments. We intend to broaden the scope to include additional products as the program matures.

Legal Posture

PTC will not pursue legal action for those acting in good faith and in adherence to the coordination instructions and guidelines described in this policy, including compliance with all applicable laws.

Communicating with PTC

To ensure proper handling of the disclosure in both directions, please adhere to the following instructions:

  • Submit your report in English to cvd@ptc.com
  • Use our PGP public key available on this web page or other encryption methods to encrypt the message.
  • Do not include sensitive information (other than information related to the vulnerability details) in any screenshots or other documents or content you provide to us.

Once we have received your message, an appropriate PTC employee will acknowledge receipt within seven (7) calendar days.

What we expect of you

We are willing to work with security researchers who comply with the following guidelines:

  • Avoid any testing (or hacking) on active environments (use test or development environments to perform vulnerability testing)
  • Comply with all applicable laws and regulations
  • Do not access or modify any data in any account or system for which you do not have legal control
  • Do not take advantage of the vulnerability or any issue you have discovered; do not take any disproportionate or illegal actions
  • We ask you to work with PTC on selecting public release dates for information on discovered vulnerabilities to minimize the possibility of public safety, privacy and security risks
    • Inform us of your disclosure plans, if any, prior to public disclosure
    • Involve DHS-ICS-CERT, CERT/CC, relevant Regulators, or other appropriate government entities when prudent
    • Provide us with details of any communication on the vulnerability (and CVE) to vulnerability coordinators
  • Preference: Well-written reports in English will have a higher chance of prompt resolution
  • Preference: Reports that include proof-of-concept code equip us to better triage

What you can expect from PTC

Once we have received a submission, PTC will:

  • Acknowledge receipt within seven (7) calendar days.
  • Perform an initial assessment on the potential findings to determine accuracy, need for escalation and product group to escalate to. In this phase, you may:
    • Receive requests for additional information, or
    • Receive notification that the vulnerability is not accepted into the program because it does not meet the criteria of the program or provide sufficient detail. (You may respond to any notifications of non-acceptance by contacting cvd@ptc.com)
  • Develop a resolution and take appropriate action depending on the criticality scoring of the vulnerability.
  • Provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.

Where necessary or if we are unable to resolve communication issues or other problems, PTC may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.

Note: Any information shared with PTC may be used by PTC in any manner determined appropriate by PTC. Submitting any information will not create any rights for the submitter, nor will it create any obligations for PTC.

;