Vulnerability Disclosure Policy

1. Purpose

We consider ensuring the security of the cloud-based EMS we provide, as well as related equipment and services, to be of critical importance.

This policy sets forth the contact point for reporting vulnerability information regarding our products, and outlines the basic response process we will follow after receiving a report.

2. Scope

This policy applies to the following products and services:

  • Grid Shield EMS / Grid Shield EMS Advance (cloud-based EMS)
  • Remote monitoring services provided by us
  • DSA (Device Secure Access) service
  • Equipment provided by us (boundary communication terminals, output control terminals, frequency control terminals, data collection devices, etc.)
  • Cloud, communications, and operational services provided by us in connection with the above

Even if the scope is unclear, please contact the point of contact below for any information that may be related to our products.

3. Contact for Vulnerability Reports

Reports regarding security issues in our products are accepted at the following contact point:

Contact point Service Operations Department, Vulnerability Management Team
Email address vulnerability@ex4energy.jp
Inquiry form https://ex4energy.jp/contact/
Hours Weekdays 9:00~17:00 (JST)

When reporting, please include as much of the following information as possible:

  • Name of the affected product/service
  • Model of the affected device and software/firmware version
  • Date and time of discovery
  • Summary of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Test/verification environment
  • Your contact information

4. Procedure After Receipt

In principle, we will respond to received vulnerability information according to the steps below.

4-1. Acknowledgement of Receipt

After receiving a report, we will review the details and, as necessary, contact the reporter to acknowledge receipt.

4-2. Review and Request for Additional Information

We will review the report, and if necessary, may request that the reporter provide additional information.

4-3. Impact Investigation and Reproduction Verification

We will confirm whether the affected product/service is impacted, whether the issue is reproducible, and whether a response is required.

4-4. Determination of Response Policy

As necessary, we will consider countermeasures such as workarounds, configuration changes, operational precautions, software fixes, firmware updates, or other measures.

4-5. Coordination with Stakeholders

As necessary, we will coordinate with relevant users, maintenance companies, contractors, device vendors, and other related parties.

4-6. Notification After Completion of Response

As necessary, we will inform the relevant users or stakeholders of the response details, workarounds, update methods, and other required information.

5. Status Updates

Until the vulnerability is resolved, we may provide status updates using the following methods, as appropriate:

  • Individual communication with the reporter
  • Individual notification to affected users or contracting parties
  • Posting on the product website
  • Notification through maintenance/support channels

Updates may include, as necessary:

  • That an investigation is ongoing
  • Scope of impact
  • Temporary mitigation measures
  • Planned release of a fixed version
  • Notice of completion of the response

However, from the standpoint of ensuring security, we may not immediately disclose all detailed information.

6. Requests to Reporters

When reporting, please be mindful of the following:

  • Do not engage in actions that could significantly impact the continuity of our services or those of our users
  • Do not acquire or transmit personal information, confidential information, or third-party information beyond what is necessary
  • Do not engage in activities that could constitute tampering, destruction, interference, or unauthorized access beyond what is required to confirm the vulnerability
  • Coordinate appropriately with us prior to public disclosure

7. Disclaimer, etc.

We will review and respond to submitted reports in good faith; however, we do not guarantee an individual response to every report, payment of any reward, corrective actions, or public disclosure.

We will also respond in accordance with applicable laws and our internal policies.

8. Revisions

We may revise this policy as necessary.

The revised policy will be made public by posting it on our product website or by other methods prescribed by us.