Data breaches, data theft, and other security threats frequently dominate today’s headlines, underscoring the critical importance of robust cybersecurity protocols.
At METTLER TOLEDO, we are dedicated to delivering high-quality solutions with a strong focus on security. Our comprehensive product security strategy safeguards the entire measurement and process chain, from precision sensors and analytical instruments through secure industrial gateways and control systems to enterprise data management platforms.
Our cybersecurity management system is designed in accordance with the global IEC 62443 standards, which address security for operational technology (OT) in general and industrial automation and control systems specifically.
Moreover, the METTLER TOLEDO Security Development Lifecycle offers a robust framework that ensures cybersecurity is an integral part of our product development process.
At METTLER TOLEDO, we believe that cybersecurity extends beyond just product design; we take security considerations into account throughout the complete life cycle of our products.
But we also recognize that it’s challenging to anticipate every potential use case or misuse of our products. Therefore, we acknowledge that not all vulnerabilities can be identified during the secure development lifecycle.
Our objective is to achieve and uphold high security and resilience in METTLER TOLEDO’s (MT) products and solutions.
To accomplish this, fostering an active dialogue with the security community—including customers, integrators, end users, and security experts—is essential for continuous improvement and innovation.
METTLER TOLEDO is also involved in various committees and working groups on the topic of cybersecurity, e.g. CEN/CENELEC and VDMA.
This enables us to support our customers as a reliable partner on their journey through the digital world.
A PSIRT is a specialized team within an organization that manages and responds to security vulnerabilities and incidents related to their products. The main objectives of a PSIRT include identifying and assessing security issues, coordinating the response to security incidents, communicating with stakeholders, and providing guidance on mitigating risks associated with vulnerabilities.
METTLER TOLEDO PSIRT is a central, interdisciplinary team managing potential security vulnerabilities in MT’s products and solutions. MT is grateful for all feedback on potential flaws, weak points, or vulnerabilities forwarded to our specialists.
METTLER TOLEDO PSIRT coordinates and maintains communication with everyone involved, both in-house and externally, to implement an appropriate response to any identified security-related issues.
We wholeheartedly invite everyone — whether you’re a METTLER TOLEDO customer or not — to share your valuable feedback on all MT products and solutions! Your insights are crucial for us. We assure you that all data, especially personal information, will be handled with the utmost confidentiality and without the need for a nondisclosure agreement.
By reporting vulnerabilities, you play a vital role in helping us enhance our products. It allows us to address these issues promptly and to keep our customers informed about mitigation measures, workarounds, and fixes. This collaborative approach empowers us to strengthen the robustness and reliability of MT products and solutions, ultimately enabling our customers to effectively manage security risks.
We strongly encourage everyone to report any security-related vulnerabilities related to MT products or solutions. Providing comprehensive, precise, and detailed information helps our Product Security Incident Response Team (PSIRT) respond more effectively and efficiently.
For your convenience, MT offers two easy ways to get in touch with us.
1. E-mail to psirt@mt.com
2. Indirect via our Partner CERT@VDE: https://cert.vde.com/helper/reportvuln/
Preferred language is English.
METTLER TOLEDO ensures that the report is made available to the necessary specialists who are equipped to address the issue described. Access to the report will be restricted to MT employees only, ensuring that no external parties can view it.
Additionally, MT is committed to keeping the reporting party's contact information private unless the reporting party specifically requests that their information be disclosed.
The METTLER TOLEDO PSIRT is a central, interdisciplinary team that will thoroughly review the impact and relevance of the reported vulnerability on MT products and solutions.
Typically, the reception of a reported vulnerability will be confirmed within two working days. Thank you for your dedication to enhancing the security of MT products!
At METTLER TOLEDO, addressing security issues often involves aligning our safety and security development processes with industrial requirements, which can affect the timeline for implementing mitigations or fixes. We appreciate your patience during this process and, if desired, will maintain close communication with the reporting party.
Since many MT components and systems are highly integrated in the infrastructure of our customers, we ask that the reporting party coordinate any disclosure of information with us. This ensures that information is not released prematurely, before appropriate mitigation measures, workarounds, or actual fixes are in place.
Thank you for your understanding and cooperation!
For vulnerabilities rated as Critical or High, METTLER TOLEDO will request a CVE (Common Vulnerabilities and Exposures) number, and security advisories will be published on our partner platform, CERT@VDE. For vulnerabilities rated as Medium and Low, information will be included in the release notes of the next product version.
Customers can choose to register for an RSS/Atom feed or can directly check for MT products and solutions on CERT@VDE.
In extreme cases, such as when functional safety is at risk, affected customers will be contacted directly as quickly as possible. We carefully assess each vulnerability and follow a responsible disclosure policy. On rare occasions, METTLER TOLEDO may also provide comments on vulnerabilities that do not affect MT products and solutions.
An advisory provides relevant facts and a history of the vulnerability, ensuring that customers and stakeholders are well-informed.
· Personal contact (Name, Organization, E-mail, Telephone, Country)
· Description of the Vulnerability (effect, how to reproduce, logfiles, pcap, CWE-ID, CVE-ID if available)
· Name of the affected product
· Software Version of the affected product
· Serial number of the affected product
· Additional Comments
· Disclosure (Do you plan to disclose, or is the vulnerability already disclosed?)
· Can or should we contact you?
At METTLER TOLEDO, we wholeheartedly support the concept of Open Source Software as a vital component of digital transformation.
Our commitment is to benefit our customers, employees, and the broader community while actively contributing to this collaborative ecosystem.
If you have any questions regarding Open Source usage and license management at METTLER TOLEDO, please reach out to our Open Source Compliance Officer (OSCO) at osco@mt.com.
Open Source Software (OSS) empowers rights holders to allow the use, analysis, modification, copying, and distribution of software under flexible conditions through "Open Source" or "Free Software" licenses.
These licenses comply with copyright law, enabling unrestricted use and versatile distribution while respecting the rights of the original creators. This framework has nurtured vibrant communities of developers and users, fostering collaboration and shared knowledge.
As a result, many software features have become commoditized, allowing companies to concentrate on their unique offerings while leveraging Open Source solutions for common functionalities, such as libraries.
We understand the significant role Open Source plays in promoting software reuse in our increasingly digital world, which is essential to our efforts in responsibly managing resources.