Skip to main content
  • Partners
  • Academia
  • Training
  • Support & Success
  • Contact Us
  • CONNECT Sign in
    • /content/dam/aveva/images/icons/language-selector/English.png English
    • /content/dam/aveva/images/icons/language-selector/Chinese.png Chinese
    • /content/dam/aveva/images/icons/language-selector/French.png French
    • /content/dam/aveva/images/icons/language-selector/German.png German
    • /content/dam/aveva/images/icons/language-selector/Japanese.png Japanese
    • /content/dam/aveva/images/icons/language-selector/Korean.png Korean
    • /content/dam/aveva/images/icons/language-selector/Portuguese.png Portuguese
    • /content/dam/aveva/images/icons/language-selector/Spanish.png Spanish
  • Industries
    • Chemicals
    • Engineering, Procurement and Construction
    • Infrastructure
    • Manufacturing
    • Marine
    • Mining Metal Minerals
    • Oil, Gas and Energy
    • Power and Utilities
    • Transportation
    • Basic Chemicals
    • Specialty Chemicals
    • Cities and Facility Management
    • Data Centers
    • Federal
    • Transmission and Distribution
    • Water and Wastewater
    • Consumer Products
    • Discrete Manufacturing
    • Life Sciences
    • Pulp, Paper and Forest
    • Shipbuilding
    • Ship Operations
    • Metals
    • Mining
    • Upstream
    • Pipeline
    • LNG
    • Gas Processing
    • Downstream
    • Hydrogen
    • Power Generation
    • Renewables
    • Transmission and Distribution
  • Solutions
    • Engineering
    • Operations
    • Data Management
    • Data Visualization
    • Digital Transformation
    • CONNECT
    • Subscription Options
    • Products
    • Engineering and Execution
    • Engineering Data Management
    • Simulation and Learning
    • Unified Project Execution
    • Asset Lifecycle Management
    • Operations Control
    • Production Optimization
    • Asset Performance Management
    • SCADA
    • HMI
    • Supply Chain
    • Data Sharing
    • Engineering Data Management
    • Operations Data Management
    • Data Enrichment and Analysis
    • Enterprise Visualization
    • Engineering Data Visualization
    • Operations Data Visualization
    • Operations Control and HMI
    • AI
    • Cloud
    • Connected Worker
    • Digital Twin
    • Edge
    • Extended Reality
    • IIoT
    • Subscription
    • CONNECT
    • CONNECT Sign in
    • CONNECT Blog
    • Flex Subscription Program
    • Customer Support and Success
    • AVEVA PI System
    • AVEVA E3D Design
    • AVEVA System Platform
    • AVEVA Enterprise SCADA
    • AVEVA InTouch HMI
    • AVEVA Plant Scada
    • AVEVA Predictive Analytics
    • AVEVA Insight
    • View All
    • AVEVA Unified Engineering
    • AVEVA Enterprise Resource Management
    • AVEVA E3D Design
    • AVEVA Engineering
    • AVEVA Point Cloud Manager
    • AVEVA Unified Project Execution
    • View All
    • AVEVA Asset Information Management
    • AVEVA Information Standards Manager
    • AVEVA Point Cloud Manager
    • AVEVA 3D Asset Visualization
    • View All
    • AVEVA PRO II Simulation
    • AVEVA Process Simulation
    • AVEVA XR for Training
    • AVEVA Pipeline Training Simulator
    • AVEVA Unified Learning
    • View All
    • AVEVA Contract Risk Management
    • AVEVA Enterprise Resource Management
    • View All
    • AVEVA Unified Engineering
    • AVEVA Asset Information Management
    • View All
    • AVEVA Operations Control
    • AVEVA Unified Operations Center
    • AVEVA InTouch HMI
    • AVEVA System Platform
    • AVEVA Plant SCADA
    • AVEVA Enterprise SCADA
    • View All
    • AVEVA Manufacturing Execution System
    • AVEVA Production Management
    • AVEVA Batch Management
    • AVEVA Recipe Management
    • AVEVA Process Optimization
    • AVEVA Unified Supply Chain
    • AVEVA Production Accounting
    • View All
    • AVEVA Advanced Analytics
    • AVEVA Predictive Analytics
    • AVEVA Mobile Operator
    • AVEVA Insight
    • AVEVA Asset Strategy Optimization
    • AVEVA APM Assessment
    • AVEVA BI Gateway
    • AVEVA Operational Safety Management
    • View All
    • AVEVA System Platform
    • AVEVA Plant SCADA
    • AVEVA Enterprise SCADA
    • View All
    • AVEVA InTouch HMI
    • AVEVA Edge
    • View All
    • AVEVA Crude Assay Management
    • AVEVA Unified Supply Chain
    • View All
    • CONNECT data services
    • AVEVA Unified Engineering
    • AVEVA Asset Information Management
    • View All
    • AVEVA Asset Information Management
    • AVEVA Information Standards Manager
    • AVEVA Point Cloud Manager
    • AVEVA 3D Asset Visualization
    • View All
    • AVEVA PI System
    • AVEVA PI Vision
    • CONNECT data services
    • AVEVA Edge Data Store
    • AVEVA PI Data Infrastructure
    • View All
    • AVEVA PI Data Link
    • AVEVA PI Integrator for Business Analytics
    • AVEVA PI Server
    • CONNECT data services
    • AVEVA Asset Information Management
    • AVEVA Edge Data Store
    • View All
    • AVEVA Unified Operations Center
    • CONNECT visualization
    • View All
    • AVEVA Asset Information Management
    • AVEVA Point Cloud Manager
    • AVEVA 3D Asset Visualization
    • View All
    • AVEVA PI Vision
    • AVEVA Historian Client
    • AVEVA Insight
    • View All
    • AVEVA Operations Control
    • AVEVA Unified Operations Center
    • AVEVA InTouch HMI
    • AVEVA System Platform
    • AVEVA Plant SCADA
    • AVEVA Enterprise SCADA
    • View All
  • Resources
    • Blog
    • Documentation
    • Podcasts
    • Presentations
    • Success Stories
    • Webinars
    • White Papers
    • CONNECT blog
    • Our Industrial Life blog
    • AVEVA Operations Control blog
    • View All
    • Our Industrial Life
    • PartnerTalk
    • Practitioners Unplugged
    • View All
    • View All
    • View All
    • View All
    • View All
  • About Us
    • About Us
    • Our Partners
    • News and Press
    • Events
    • Investors
    • Sustainability
    • Careers
    • About AVEVA
    • Action for Good
    • Our Global Inclusive Culture
    • Leadership
    • Global Offices
    • View All
    • Work with a Partner
    • Become a Partner
    • Partner Login
    • Newsroom
    • Press Contacts
    • AVEVA World
    • Find an Event
    • View All
    • Impact Stories
    • ESG Reporting
    • Global Collaboration
    • Early Careers
    • Benefits
    • R&D Careers
    • Action for Good
    • Current Opportunities
  • Industries
  • Solutions
  • Resources
  • About Us
  • Partners
  • Academia
  • Training
  • Support & Success
  • Contact Us
  • CONNECT Sign in
English
Back
  • /content/dam/aveva/images/icons/language-selector/English.png English
  • /content/dam/aveva/images/icons/language-selector/Chinese.png Chinese
  • /content/dam/aveva/images/icons/language-selector/French.png French
  • /content/dam/aveva/images/icons/language-selector/German.png German
  • /content/dam/aveva/images/icons/language-selector/Japanese.png Japanese
  • /content/dam/aveva/images/icons/language-selector/Korean.png Korean
  • /content/dam/aveva/images/icons/language-selector/Portuguese.png Portuguese
  • /content/dam/aveva/images/icons/language-selector/Spanish.png Spanish
Back
Back
  • Chemicals
  • Engineering, Procurement and Construction
  • Infrastructure
  • Manufacturing
  • Marine
  • Mining Metal Minerals
  • Oil, Gas and Energy
  • Power and Utilities
  • Transportation
Back
  • Engineering
  • Operations
  • Data Management
  • Data Visualization
  • Digital Transformation
  • CONNECT
  • Subscription Options
  • Products
Back
  • Blog
  • Documentation
  • Podcasts
  • Presentations
  • Success Stories
  • Webinars
  • White Papers
Back
  • About Us
  • Our Partners
  • News and Press
  • Events
  • Investors
  • Sustainability
  • Careers
Back to
  • Basic Chemicals
  • Specialty Chemicals
Back to
Back to
  • Cities and Facility Management
  • Data Centers
  • Federal
  • Transmission and Distribution
  • Water and Wastewater
Back to
  • Consumer Products
  • Discrete Manufacturing
  • Life Sciences
  • Pulp, Paper and Forest
  • Shipbuilding
Back to
  • Ship Operations
Back to
  • Metals
  • Mining
Back to
  • Upstream
  • Pipeline
  • LNG
  • Gas Processing
  • Downstream
  • Hydrogen
Back to
  • Power Generation
  • Renewables
  • Transmission and Distribution
Back to
Back to
  • Engineering and Execution
  • Engineering Data Management
  • Simulation and Learning
  • Unified Project Execution
  • Asset Lifecycle Management
Back to
  • Operations Control
  • Production Optimization
  • Asset Performance Management
  • SCADA
  • HMI
  • Supply Chain
Back to
  • Data Sharing
  • Engineering Data Management
  • Operations Data Management
  • Data Enrichment and Analysis
Back to
  • Enterprise Visualization
  • Engineering Data Visualization
  • Operations Data Visualization
  • Operations Control and HMI
Back to
  • AI
  • Cloud
  • Connected Worker
  • Digital Twin
  • Edge
  • Extended Reality
  • IIoT
  • Subscription
Back to
  • CONNECT
  • CONNECT Sign in
  • CONNECT Blog
Back to
  • Flex Subscription Program
  • Customer Support and Success
Back to
  • AVEVA PI System
  • AVEVA E3D Design
  • AVEVA System Platform
  • AVEVA Enterprise SCADA
  • AVEVA InTouch HMI
  • AVEVA Plant Scada
  • AVEVA Predictive Analytics
  • AVEVA Insight
  • View All
Back to
  • CONNECT blog
  • Our Industrial Life blog
  • AVEVA Operations Control blog
  • View All
Back to
Back to
  • Our Industrial Life
  • PartnerTalk
  • Practitioners Unplugged
  • View All
Back to
  • View All
Back to
  • View All
Back to
  • View All
Back to
  • View All
Back to
  • About AVEVA
  • Action for Good
  • Our Global Inclusive Culture
  • Leadership
  • Global Offices
  • View All
Back to
  • Work with a Partner
  • Become a Partner
  • Partner Login
Back to
  • Newsroom
  • Press Contacts
Back to
  • AVEVA World
  • Find an Event
Back to
  • View All
Back to
  • Impact Stories
  • ESG Reporting
  • Global Collaboration
Back to
  • Early Careers
  • Benefits
  • R&D Careers
  • Action for Good
  • Current Opportunities
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
  • AVEVA Unified Engineering
  • AVEVA Enterprise Resource Management
  • AVEVA E3D Design
  • AVEVA Engineering
  • AVEVA Point Cloud Manager
  • AVEVA Unified Project Execution
  • View All
Back to
  • AVEVA Asset Information Management
  • AVEVA Information Standards Manager
  • AVEVA Point Cloud Manager
  • AVEVA 3D Asset Visualization
  • View All
Back to
  • AVEVA PRO II Simulation
  • AVEVA Process Simulation
  • AVEVA XR for Training
  • AVEVA Pipeline Training Simulator
  • AVEVA Unified Learning
  • View All
Back to
  • AVEVA Contract Risk Management
  • AVEVA Enterprise Resource Management
  • View All
Back to
  • AVEVA Unified Engineering
  • AVEVA Asset Information Management
  • View All
Back to
  • AVEVA Operations Control
  • AVEVA Unified Operations Center
  • AVEVA InTouch HMI
  • AVEVA System Platform
  • AVEVA Plant SCADA
  • AVEVA Enterprise SCADA
  • View All
Back to
  • AVEVA Manufacturing Execution System
  • AVEVA Production Management
  • AVEVA Batch Management
  • AVEVA Recipe Management
  • AVEVA Process Optimization
  • AVEVA Unified Supply Chain
  • AVEVA Production Accounting
  • View All
Back to
  • AVEVA Advanced Analytics
  • AVEVA Predictive Analytics
  • AVEVA Mobile Operator
  • AVEVA Insight
  • AVEVA Asset Strategy Optimization
  • AVEVA APM Assessment
  • AVEVA BI Gateway
  • AVEVA Operational Safety Management
  • View All
Back to
  • AVEVA System Platform
  • AVEVA Plant SCADA
  • AVEVA Enterprise SCADA
  • View All
Back to
  • AVEVA InTouch HMI
  • AVEVA Edge
  • View All
Back to
  • AVEVA Crude Assay Management
  • AVEVA Unified Supply Chain
  • View All
Back to
  • CONNECT data services
  • AVEVA Unified Engineering
  • AVEVA Asset Information Management
  • View All
Back to
  • AVEVA Asset Information Management
  • AVEVA Information Standards Manager
  • AVEVA Point Cloud Manager
  • AVEVA 3D Asset Visualization
  • View All
Back to
  • AVEVA PI System
  • AVEVA PI Vision
  • CONNECT data services
  • AVEVA Edge Data Store
  • AVEVA PI Data Infrastructure
  • View All
Back to
  • AVEVA PI Data Link
  • AVEVA PI Integrator for Business Analytics
  • AVEVA PI Server
  • CONNECT data services
  • AVEVA Asset Information Management
  • AVEVA Edge Data Store
  • View All
Back to
  • AVEVA Unified Operations Center
  • CONNECT visualization
  • View All
Back to
  • AVEVA Asset Information Management
  • AVEVA Point Cloud Manager
  • AVEVA 3D Asset Visualization
  • View All
Back to
  • AVEVA PI Vision
  • AVEVA Historian Client
  • AVEVA Insight
  • View All
Back to
  • AVEVA Operations Control
  • AVEVA Unified Operations Center
  • AVEVA InTouch HMI
  • AVEVA System Platform
  • AVEVA Plant SCADA
  • AVEVA Enterprise SCADA
  • View All
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
Back to
See All Results
  1. Home
  2. Legal
  3. OSIsoft Terms and Conditions

OSIsoft Ethical Disclosure

The Security Development Lifecycle at OSIsoft results in more secure code with fewer vulnerabilities. However, software without a single potential vulnerability or security hole does not exist in the real world. Inevitably, new vulnerabilities affecting OSIsoft products will appear over time. Preparing a response process is essential in any plan of action prior to customers being affected. OSIsoft’s policy on ethical disclosure is a foundation of core values to guide this response process.

What is ethical disclosure?

Vulnerability disclosure is the practice of publishing information related to a security vulnerability found in software. The purpose for such a disclosure is to inform the customer of the potential risks, so that they can take actions to minimize the effects of the vulnerability. The question of whether or not to disclose a newly-found vulnerability is one of the most sensitive decisions a software provider can make. As a trusted provider, we want to inform customers of issues that could impact their operations. However, releasing too much information about a vulnerability too quickly could potentially result in an intruder using it to gain an upper hand against customers. This policy and the values outlined in the policy documents how OSIsoft balances these two extremes.

Goals for ethical disclosures

1. Communicate in a predictable manner to customers

OSIsoft strives to publish regular security bulletins in coordination with Microsoft Patch Tuesday (usually the 2nd Tuesday of each month). Releasing security bulletins on a regular schedule minimizes the need for the customer to constantly monitor for security issues on OSIsoft product deployment. The customer knows when to check for updated information about possible vulnerabilities, allowing the customer to plan for such updates at their convenience. The bulletin schedule and release cycle coordinated approach provides a natural planning window for a security bulletin and release of product security updates.

2. Empower our customers, not would-be attackers

Security bulletins and associated product documentation will provide information useful for managing cyber risk while avoiding sensitive details potentially useful to attackers. In practice, this is more difficult than it sounds. Oftentimes, those unfamiliar with cyber security intrusion methods cannot easily identify when too much information has been provided. OSIsoft strives to carefully research and evaluate each vulnerability against potential risk to make a determination about reporting to the public. When in doubt, we have, and will continue to, seek professional review by industry security experts.

3. Explain what is happening

Security bulletins are a result of much research and careful evaluation to explain each security vulnerability as accurately as possible with the existing information at that time. In essence, how bad is it? How will the customer reading the bulletin know if they are affected? What can the reader do to protect their deployment? Situational awareness is taken into account, including: information about how the issue was discovered, whether a fix or workaround is available, and the level of exploit activity (when applicable). Such context helps customers assess urgency and develop an action plan. This is the basic goal of each bulletin: to equip and empower the user. Most security updates are handled by our customers as regularly scheduled work items; however, OSIsoft will strive to communicate its informed option on the particular urgency of any given security issue.

4. Communicate what is important

Not all products are as ubiquitous as others. While information about vulnerabilities in widely-used PI System components will be handled with more importance; severity, active exploitation, or requests by regulators are factors that increase the importance of a security bulletin, regardless of the relative use of the OSIsoft Product(s) affected. Our preference for formal vulnerability disclosure to the security community includes professional coordination by The US Department of Homeland Security – Cybersecurity and Infrastructure Security Agency (CISA). Public media and the trade press are inappropriate forums for vulnerability disclosure.

Core values regarding disclosure of vulnerabilities

  1. OSIsoft commits, first and foremost, to doing no harm when it comes to the disclosure of security vulnerabilities. The primary consideration for each published security bulletin is whether releasing it has a realistic possibility of inadvertently harming our customers. A YES answer runs counter to our core values and we do not report the vulnerability in its current state. This tenet shows our commitment of making all decisions in cyber security matters with our relationship with each customer in mind.
  2. We strive to empower our customers with timely and actionable information with the goal of helping them make informed decisions regarding security around their implementation of our software. One path to this is informing customers about security vulnerabilities, including how regular software updates can address those vulnerabilities. As is the case in health and medicine, preventative maintenance through applying regular updates is often more effective and less resource intensive than fixes and workarounds.
  3. Security is based upon trust. Customers need open and transparent information about security around OSIsoft products to better protect themselves, and OSIsoft is committed to providing the appropriate information to maintain such trust.

Philosophy on self-reporting vulnerabilities

OSIsoft takes pride in being a leader when it comes to self-reporting internally discovered security vulnerabilities to CISA, the customer base, and to the public. Each vulnerability goes through a thorough process to determine whether to disclose publicly. One of the most important factors for disclosure is the Common Vulnerability Score (CVSS), which gives an idea of the severity and potential harm. These scores are used to categorize vulnerabilities into Low, Medium, High and Critical categories as a metric to use in evaluating each and every disclosure. Another is the impact to our customers, determined by careful analysis and research to understand the context and appropriateness of a disclosure in the overall scheme of the product deployment.

Why do we self-report vulnerabilities?

  1. To put the focus on the customer. Our primary goal is to secure our customers’ implementation of our software.
  2. To make it easier for our customers to find all vulnerability information in one location, CISA, on a regular schedule.

When warranted by analysis, we will report our vulnerabilities to CISA typically sixty days after a software update addresses the issues. This reinforces our primary goal: first and foremost, do no harm when it comes to disclosure of vulnerabilities.

Corporate policy on ethical disclosure

This policy applies to software code vulnerabilities in general accordance with ISO/IEC 29147 standards and the domain specific Common Industrial Control System Vulnerability Disclosure Framework developed by the US Department of Homeland Security Industrial Control Systems Joint Working Group.

  1. OSIsoft will only disclose a vulnerability when the disclosure includes actionable information such as a way to fix or remediate the issue.
  2. OSIsoft will never disclose any details of the vulnerability that could lead to the development of an exploit of the vulnerability.
  3. Disclosure of vulnerabilities are released as Security Bulletins, Release Notes, Tech Support Notes, Knowledge Base Articles, and Advisories through the Support Website.

How does OSIsoft respond differently to different types of vulnerabilities?

An Incident Response Plan process is activated to evaluate the vulnerability and determine if it meets the most basic criteria for an escalated response. An incident commander is assigned to coordinate response activities including escalation to executive leadership for critical issues affecting released products.

OSIsoft then takes three different approaches responding to a vulnerability, depending on who found it, how severe the potential exploit may be, and other compounding factors. The list of approaches differ in communication methodology, as follows:

1. OSIsoft internally discovers a vulnerability in the PI System

The remediation plan is generated including security bulletins for high and medium level issues. Availability of actionable information such as general release of a product update or avoidance procedure shall be communicated. Advance notice is provided to customer and partner channel stakeholders followed by general availability and coordinated disclosure with CISA (or equivalent public service) when OSIsoft decides that a wider audience is warranted after careful analysis.

2. Third-party discovers a vulnerability in the PI System

OSIsoft encourages vulnerability reports from third parties and strives to maintain regular communication with the third party during incident response phases including reproduction of the issue, root cause triage, impact assessment, remediation plan, and confirmation of fix as appropriate. Disclosure plans are generated in collaboration with the 3rd party. OSIsoft favors coordinated disclosure with actionable information such as general release of a product update or avoidance procedure. Acknowledgement of third party discovery is subject to consent.

3. Actively-exploited vulnerability in the PI System

OSIsoft will actively engage all partners and customers with recommended defenses, mitigations, and guidance on vulnerabilities that are already known to the public and might be open to exploitation. It is important to note that for this type of situation, OSIsoft will engage with customers immediately and will not wait to follow the regular cycle of patch or software release. Additionally, regularly scheduled software updates addressing vulnerabilities will be provided to the customer when available. Senior leadership within the company will be involved to ensure rapid and effective resolution of the vulnerability.

Last revised March 05, 2020

AVEVA
  • Investors
  • Partners
  • Careers
  • AVEVA Speak Up
  • Anti-Slavery and Human Trafficking Statement
  • Documentation
  • Data Security
  • Privacy Policy
  • Business Conduct Guidelines
  • Suppliers
  • Legal
  • Terms of Use
  • Locations
  • Sitemap

Contact Us

AVEVA Group Limited High Cross Madingley Road Cambridge CB3 0HB, UK

Reg. No. 2937296

Also of Interest
  • Supply Chain Planning Solutions
  • Manufacturing Operations Management Software
  • Maximize the potential of your mining data
Connect with us:
Facebook X Youtube linkedin Instagram tiktok Threads

© 2020 - 2025 AVEVA Group Limited or its subsidiaries. All rights reserved. AVEVA and the AVEVA logo are a trademark or registered trademark of AVEVA Group Limited in the U.S. and other countries.

Terms and Conditions

 Cookie Preferences

Schneider Electric completed its acquisition of AVEVA and AVEVA is now a member of the Schneider Electric group.