Overview

How to Submit a Vulnerability

For more information on submitting a vulnerability to GE Vernova, visit https://www.gevernova.com/security. Please do not include identifiable sensitive data (e.g. personal data, specific system configuration) within the body of the communication or any attachments (e.g. screenshots, images or log files).

We request the following when reporting a vulnerability:

  • Please provide your report in English;
  • Include specific information about affected products, including model or serial numbers, geographic location, software version, and the means of obtaining the product;
  • If you have developed a proof-of-concept for exploiting the vulnerability, please include the code and explanation for the exploit;
  • If you are aware of any incidents of this vulnerability being exploited on equipment in the field (e.g. a Grid Solutions’ customer was directly impacted by this vulnerability)
  • Information on how you discovered the vulnerability, your thoughts on impact or CVSS scoring, and potential remediations will help us to triage the vulnerability more quickly
  • Please include relevant information about yourself or the company/organization you are representing, or if you prefer to remain anonymous.
  • Please let us know if you have a preferred method of contact during our internal triage process
  • Please include your intentions for disclosing the vulnerability to us, or if you intend to disclose the vulnerability to the public

What you may expect from us:

  • We will acknowledge receipt of your message one business day;
  • In the following phase of initial triage and assessments, an appropriate member of the GE Vernova PSIRT may reach out to you to do one of the following:
    • Request additional information to your initial report
    • Communicate our expected triage process and timeline
    • Notify you that the report is either out of scope or will not be triaged for other reasons
  • Once we have conducted our own assessment of the vulnerability, we will communicate our process and findings as a result of the investigation;
  • If requested, we will include the reporter’s name in our final report if it results in a public disclosure