Security Vulnerability Disclosure Policy of Sumitomo Heavy Industries Corporate Group

Sumitomo Heavy Industries, Ltd. and its affiliated companies (hereinafter "SHI Group") is committed to ensuring the security of its products and services and protecting customers from cyber threats.
To this end, the Corporate Group collects and discloses information regarding product vulnerabilities.

1. Product Vulnerability Management
2. Applicable Products
3. Exclusions
4. Bug Bounty Program
5. Handling of Vulnerability Information
6. Vulnerability Countermeasures
7. Rights Regarding Reported Vulnerability Information
8. Handling of Personal Information and Contact Information

1. Product Vulnerability Management

The Corporate Group has established a Product Security Incident Response Team (PSIRT) to address vulnerabilities related to its products.
The PSIRT collects information on product security vulnerabilities from various sources and identifies and mitigates risks based on this information.

2. Applicable Products

This policy applies to products manufactured by the Corporate Group and applications provided by the Corporate Group that are used in conjunction with those products (hereinafter referred to as "Applicable Products").

3. Exclusions

The following types of vulnerabilities are excluded from reporting:

Vulnerabilities already known to the Corporate Group and for which countermeasures have been publicly disclosed.
Social engineering attacks impersonating the Corporate Group.
Vulnerabilities detected by automated scanning tools that have not been manually verified.
Vulnerabilities related to products that are no longer supported by the Corporate Group.

4. Bug Bounty Program

Regardless of the content of the vulnerability information (hereinafter referred to as "Vulnerability Information"), the Corporate Group does not offer any rewards (monetary or otherwise) to individuals who report vulnerabilities (hereinafter referred to as "Reporters").

5. Handling of Vulnerability Information

5.1 Submission
The reporting form is for vulnerability submissions only.
Receipt of the report will be confirmed via an acknowledgment email sent to the specified email address within seven calendar days of submission.
Please note that responses may be delayed during the Corporate Group’s holiday periods (e.g., New Year, summer holidays, Golden Week).

5.2 Initial Response
Upon receiving a report, the Corporate Group will review the content. If the reported issue is determined to be a new vulnerability, the Corporate Group will promptly notify the Reporter via the specified email address.

5.3 Investigation, Response, and Disclosure
Progress updates will be provided as necessary. If the issue is confirmed as a new vulnerability, the Corporate Group will coordinate with relevant parties* to determine the disclosure date and publish a security advisory once preparations are complete.
Additional information may be requested during the investigation process, and cooperation is appreciated.

*Relevant parties may include:

The Reporter
Internal stakeholders (e.g., technical, public relations, legal departments)
External stakeholders (e.g., suppliers, industry organizations such as JPCERT)

6. Vulnerability Countermeasures

In responding to vulnerabilities and security incidents, the Corporate Group may collaborate with government agencies as necessary to provide information to customers.
Vulnerability information and countermeasures will be disclosed at an appropriate time.
If a vulnerability is deemed to potentially affect specific customers, the Corporate Group may contact them individually through its sales channels.

7. Rights Regarding Reported Vulnerability Information

By submitting Vulnerability Information to the Corporate Group, the Reporter agrees to the following:

The Reporter represents and warrants that they have the legal right to report the Vulnerability Information and that it does not infringe upon the rights of any third party.
The Reporter shall not exercise moral rights of authorship against the Corporate Group or any party that inherits or is licensed such rights from the Corporate Group, nor shall the Reporter cause any author to exercise such rights.
The Reporter hereby grants the Corporate Group a worldwide, non-exclusive, royalty-free, sublicensable, and transferable license to use the Vulnerability Information and any associated intellectual property rights.
This license includes, but is not limited to, the right to:
- develop and publish countermeasures and workarounds based on the Vulnerability Information;
- modify and improve existing products;
- develop, manufacture, commercialize, sell, and distribute products that have been modified, improved, or newly developed based on the Vulnerability Information.
The Reporter agrees not to disclose or use any part of the Corporate Group’s response to the report without prior consent.

8. Handling of Personal Information and Contact Information

Personal information will be handled in accordance with our Privacy Policy outlined below.

Personal Information Protection Policy

Report a Vulnerability