Incident Response

Xylem’s Product Security Incident Response Team (PSIRT) manages the response to security vulnerabilities that pose a risk to Xylem fielded products.

Xylem is an approved CVE Numbering Authority (CNA) for Xylem products and technologies.

Vulnerability Response and Disclosure

Security researchers, customers, vendors, and industry partners can report Xylem product security vulnerabilities to product.security@xylem.com. Xylem recommends that you encrypt confidential information sent to Xylem via email with PGP encryption; the Xylem PSIRT public key is available here.

Vulnerability Reporting

When reporting a vulnerability, please include the following information:

  • Product name and version
  • Description of the potential vulnerability
  • Any special configuration required to reproduce the issue
  • Step by step instructions to reproduce the issue
  • Proof of concept or exploit code, if available
  • Potential impact
  • Any other relevant information

Triage

Xylem PSIRT will acknowledge receipt of the reported potential vulnerability and begin triage. If the reported vulnerability is determined to be valid, a risk assessment will be performed. The risk assessment will take into account the following:

  • Technical Severity (CVSS Rating)
  • Business Impact
  • Product Deployment

Remediation

A remediation plan will then be determined based on the risk of the vulnerability. Remediation plans can include patches, updates, configuration changes, or implementing compensating controls.

Disclosure / Security Advisory

Once the remediation plan is available, Xylem PSIRT will coordinate the appropriate disclosure. Disclosures can include a combination of, but are not limited to, direct customer notification, publishing of a Xylem Product Security Advisory, and a Coordinated Vulnerability Disclosure through DHS CISA.

Sensus Product Security

Sensus provides our customers information on a regular basis on threats and risk to the AMI industry and to our solution. This information is provided to our customers to keep them informed, and also provides a communication mechanism for Sensus to be aware of security issues our customers face.

Managing Cyber Risk in the Water Sector

Learn more about keeping critical infrastructure up and running, safely and efficiently here.

Subscribe to our newsletter or receive notifications on Xylem Security Advisories