Introduction (Basic Policy)

Matsuura Machinery Corporation (hereinafter “Matsuura”) is committed to continuously improving the cybersecurity of our products to ensure that our customers can use our machine tools and related software safely and securely.

We have established a “PSIRT (Product Security Incident Response Team),” a specialized organization for the rapid collection, analysis, and mitigation of vulnerability information related to our products. We operate a highly transparent vulnerability handling process in compliance with international standards (such as ISO/IEC 29147).

Vulnerability Reporting

If you discover a vulnerability (security flaw) in any of the products handled by Matsuura, please provide the information via the dedicated form below.

Vulnerability Report Form*Opens in a new window

Information Requested

• Product name and model name
• Software version
• Details of the vulnerability (reproduction steps, potential impact, etc.)
• Reporter’s contact information (Optional)

Vulnerability Handling Process (Steps)

Matsuura will handle reported vulnerabilities through the following steps:

• Receipt and Acknowledgement: Upon receiving a report, we will, in principle, send an acknowledgement of receipt within [7 business days].
• Investigation and Analysis: Our specialized engineers will verify the reproducibility of the vulnerability and assess its impact (on confidentiality, integrity, and availability). We will keep the reporter informed of the progress as appropriate until the resolution.
• Mitigation Development: If a vulnerability is confirmed, we will develop a security patch or establish workaround measures to mitigate the risk.
• Disclosure and Notification: Once the mitigation is ready, we will publish a Security Advisory (cautionary notice) on the “Product Security Information” page of this website.

Security Advisory Publication Policy

To enable our customers to take appropriate defensive measures, we will disclose the following information:

• Vulnerability identification number (such as CVE ID)
• Affected products and versions
• Overview of the vulnerability and potential risks
• Instructions on how to obtain security patches or workarounds

*In cases involving sensitive information or where the impact is limited to specific environments, we may provide individual notifications through our customer portal (e.g., MyMatsuura).

*During the coordination of disclosure dates with relevant vendors, we will limit the handling of undisclosed vulnerability information to involved parties to minimize the risk of information disclosure to third parties.

*Upon request from individuals who have contributed to the discovery, reporting, and resolution of a vulnerability, we will include an acknowledgment within the vulnerability information.

Compliance with EU Cyber Resilience Act (CRA)

Matsuura strives to comply with international regulations, including the European Union’s Cyber Resilience Act (CRA), and is committed to providing security updates throughout the product lifecycle.

• Support Period: We will provide security-related updates for a minimum of [5 years / or the product’s expected lifetime] from the date of shipment.
• Utilization of SBOM: We will maintain thorough management of Software Bill of Materials (SBOM) to ensure the early detection of vulnerabilities across the supply chain.