Report an OSIsoft Computer or Software Security Vulnerability

OSIsoft investigates all reports of security vulnerabilities affecting OSIsoft products and services. If you believe you have found an OSIsoft security vulnerability, we would like to work with you to investigate it.
 

To report a vulnerability:

  • Send an e-mail to the Incident Response Team at secure@osisoft.com 
- or -

Response time:

You will receive a response within 24 hours. If for some reason you do not, please follow up with us to ensure we received your original message.
 

What to include in your report:

To help us to better understand the nature and scope of the possible issue, please include as much of the below information as possible.
 
  • Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
  • Product and version that contains the bug, or URL if for an online service
  • Service packs, security updates, or other updates for the product you have installed
  • Any special configuration required to reproduce the issue
  • Step-by-step instructions to reproduce the issue on a fresh install
  • Proof-of-concept or exploit code
  • Impact of the issue, including how an attacker could exploit the issue

Additional Information:

OSIsoft follows an Ethical Disclosure Policy and, to protect the ecosystem, we request coordination with those reporting to us.

Email recipients at OSIsoft.com are protected by StartTLS as negotiated per sender (you can verify settings with CheckTLS.com). Request a key from our incident commander if you prefer to use PGP messaging for more sensitive details.

If you want to remain anonymous to the public, we will honor your request. OSIsoft does appreciate the opportunity to work collaboratively with researchers and users to understand and correct issues whenever possible.

For further information, consider consulting Microsoft’s definition of a security vulnerability as well as ICS-CERT Industrial Control System Joint Working Group white paper “Common Industrial Control System Vulnerability Disclosure Framework.”