Our Security Strategy
Xylem is a technology company with a commitment to innovation while addressing security needs for all of our solutions through continuous improvement. Along with a riskābased security design and implementation approach, our engineering, development, and cybersecurity teams remain diligently focused on the identification and eradication of security vulnerabilities. Our practices include:
- Implementation of Security by Design principles throughout the product development lifecycle
- Collaboration with InfraGard, a partnership between the Federal Bureau of Investigations and members of the private sector
- Membership in the Water Information Sharing and Analysis Center (ISAC), the international security network created by and for the water and wastewater sector. As a cybersecurity partner, you can learn more about security preparedness at www.waterisac.org.
We also encourage our customers and partners to follow generally accepted IT and cybersecurity best practices.
Vulnerability Response and Disclosure
Xylem’s Product Security Incident Response Team (PSIRT) manages the response to security vulnerabilities that pose a risk to Xylem fielded products.
Xylem is an approved CVE Numbering Authority (CNA) for Xylem products and technologies.
Security researchers, customers, vendors, and industry partners can report product security vulnerabilities to product.security@xylem.com using PGP encryption.
Vulnerability Reporting
When reporting a vulnerability, please include the following information:
- Product name and version
- Description of the potential vulnerability
- Any special configuration required to reproduce the issue
- Step by step instructions to reproduce the issue
- Proof of concept or exploit code, if available
- Potential Impact
- Any other relevant information
Triage
Xylem PSIRT will acknowledge receipt of the reported potential vulnerability and begin triage. If the reported vulnerability is determined to be valid, a risk assessment will be performed. The risk assessment will take into account the following:
- Technical Severity (CVSS Rating)
- Business Impact
- Product Deployment
Remediation
A remediation plan will then be determined based on the risk of the vulnerability. Remediation plans can include patches, updates, configuration changes, or implementing compensating controls.
Disclosure
Once the remediation plan is available, Xylem PSIRT will coordinate the appropriate disclosure. Disclosures can include a combination of, but are not limited to, direct customer notification, publishing of a Xylem Product Security Advisory on www.xylem.com/security , Coordinated Vulnerability Disclosure through DHS CISA.