Safety & security are incredibly important to PTC and to the ecosystems we serve. As we see greater convergence of physical and digital systems, we all carry a shared responsibility to develop and maintain more secure, defensible, and resilient systems. PTC is committed to doing our part through robust security programs and initiatives. As an extension to our own efforts, PTC wishes to team with willing allies acting in good faith. As such, PTC welcomes the invaluable contributions offered by security researchers. To ensure a smooth and streamlined process, we are introducing our Coordinated Vulnerability Disclosure Program.
For the initial scope, this pilot will focus on ThingWorx branded products to ensure our full attention to areas where vulnerabilities could potentially affect industrial and safety critical environments. We intend to broaden the scope to include additional products as the program matures.Legal Posture
PTC will not pursue legal action for those acting in good faith and in adherence to the coordination instructions and guidelines described in this policy, including compliance with all applicable laws.
Communicating with PTC
To ensure proper handling of the disclosure in both directions, please adhere to the following instructions:
Once we have received your message, an appropriate PTC employee will acknowledge receipt within seven (7) calendar days.
What we expect of you
We are willing to work with security researchers who comply with the following guidelines:
What you can expect from PTC
Once we have received a submission, PTC will:
Where necessary or if we are unable to resolve communication issues or other problems, PTC may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
Note: Any information shared with PTC may be used by PTC in any manner determined appropriate by PTC. Submitting any information will not create any rights for the submitter, nor will it create any obligations for PTC.