X Close
Vulnerability Reporting and Disclosure

Johnson Controls has demonstrated passion for quality products and dedication to our customers for more than a century. That history continues to carry us forward into the 21st Century, where cyber threats to connectivity and automation are realities our customers face. Together, manufacturers, integrators and customers can partner to better secure building systems.

In order to analyze, mitigate and eliminate vulnerabilities in partner software, Johnson Controls has established internal measures to review our use of open-source software libraries and third-party software components in addition to regular reviews of our own software code to identify potential areas malicious actors may use to exploit our customers.

We value the work of independent security researchers, consultants and others who wish to join us in protecting our customers’ building systems and data. Assessing findings, clearing false positives found by traditional IT security vulnerability scanning tools, and remediating actual vulnerabilities are top priorities for our dedicated Product Security Incident Response Team (PSIRT), Global Product Security team and our entire company.

When an actual vulnerability is discovered post-release, sometimes called “in the wild”, one of our practices is to publicly notify stakeholders on our Security Advisories page here on www.johnsoncontrols.com/productsecurity and through notification to the Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security that promotes control system cyber security. In those advisories, we give credit to any external security researchers or others who performed the research effort needed to find and discover previously unknown vulnerabilities. Our action to publicly report or not report vulnerabilities, and the timing of that, is made with the security interests of our customers in mind, and our goal to reduce the opportunity for malicious actors to exploit our customers’ building system before the customer has had time to take action to remediate the vulnerability.

How to Report

To better protect our customers and honor the trust they put in us, we are firm believers in responsible coordinated disclosure. Security Researchers, consultants and others who believe they may have found a potential security vulnerability in a Johnson Controls product should make immediate notice to our Product Security Incident Response Team (PSIRT) through email to productsecurity@jci.com.

We have established a public PGP key so that those who wish to can communicate with us via encrypted email can do so. Here is the link to the JCI public key.

https://pgp.mit.edu/pks/lookup?search=beproductsecurity%40jci.com&op=index

(You will need to follow instructions for your specific email client in order to use this encryption standard)

Those working directly on behalf of a Johnson Controls customer should also notify their local Johnson Controls representative. Thank you for your partnership with us in creating a smarter, safer more sustainable world.