Coordinated Vulnerability Disclosure
Security is a continuous process. No software is ever fully “cyber secure” — there are only known and unknown issues, and our goal is to reduce risk by resolving known issues as quickly as possible. Omnicon Automation, in cooperation with SunForest BV, operates a responsible disclosure process for EnvisionSCADA and appreciates the work of security researchers who help us keep customers safe.
Security Contact
Please report suspected vulnerabilities directly and privately to our dedicated security inbox:
- Email: security@envisionscada.com
- A PGP key for encrypted reports is available on request.
- Please do not report vulnerabilities through public channels (support tickets, forums, or social media) until they have been resolved.
How to Report
To help us triage and reproduce the issue quickly, please include as much of the following as possible:
- Affected product version / build number and deployment type (e.g. Windows, Docker).
- Environment details (operating system, browser, network configuration where relevant).
- A clear description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce, including any proof-of-concept.
- Your contact details and whether you would like public credit for the finding.
Supported Versions
Security fixes are delivered in the latest EnvisionSCADA release. Because the product includes free lifetime updates, we strongly recommend keeping deployments current. Customers on older versions should upgrade to receive the latest security patches. Where a critical issue affects a widely deployed version, we will communicate mitigation guidance directly.
Responsible Disclosure Policy
We ask that researchers act in good faith and follow coordinated disclosure principles:
- Do not access, modify, or delete data that does not belong to you, and limit testing to what is necessary to demonstrate the issue.
- Do not disrupt or degrade our services (no denial-of-service, spam, or social engineering).
- Give us reasonable time to investigate and remediate before any public disclosure.
- In return, we will acknowledge your report, keep you informed of progress, and credit you (with your permission) when the fix is published.
Severity Classification
We assess each report and assign a severity level, supported by a CVSS score:
Critical
- Remote code execution
- Authentication bypass
- Privilege escalation
High
- Sensitive data exposure
- Persistent (stored) XSS
- SQL injection
Medium
- Denial of service
- Information leakage
Low
- Minor information disclosure
- UI / display bypasses
Response Timeline
Our target handling times, based on assessed severity:
- Critical — acknowledged within 24 hours; hotfix issued as soon as possible.
- High — acknowledged within 2 business days; fix targeted within 14 days.
- Medium — addressed in the next scheduled release.
- Low — evaluated and scheduled on a case-by-case basis.
Vulnerability Tracking
Every valid report is assigned a unique internal identifier — for example ESCADA-SEC-2026-001 — and tracked through to resolution. For each issue we record:
- Reporter
- Date received
- Affected versions
- Severity
- CVSS score
- Root cause
- Fix version
- Date fixed
- Date disclosed
Security Advisories
When we resolve a reported security issue, we publish a public advisory (identifier ESA-YYYY-NNN) so customers can assess their exposure and upgrade. Each advisory lists the affected and fixed versions, impact, CVSS score, mitigation, and credit.