At Portland General Electric, the security of our systems and data is a top priority. We value the contributions of the security research community and encourage responsible disclosure of any potential security issues. This policy outlines our guidelines for reporting vulnerabilities in a respectful, legal and constructive manner so we can address issues quickly and continue to ensure the integrity of our services.
This policy covers any product, service, application, or system owned or operated by Portland General Electric to which you have lawful access. In general, any security vulnerability that could reasonably affect the confidentiality, integrity, or availability of our services or data is within scope for disclosure.
The following findings or activities are not considered reportable vulnerabilities under this policy:
Non-exploitable issues: General best practice issues such as reports of outdated software versions without a proof-of-concept exploit.
Denial of service: Any form of DoS/DDoS attacks or load testing that could impair the availability of our services.
Physical and social engineering: Physical security breaches (office break-ins, tailgating) or social engineering attacks (phishing, vishing) against our employees or systems are not authorized.
Automated scanning: High-volume, automated vulnerability scanners that generate significant traffic or alerts.
Out-of-scope domains/third parties: Systems or services not owned by Portland General Electric or beyond our control. If a suspected issue is found in a third-party component, please report it to the relevant vendor.
Illegal activities: Any activities that violate applicable law or regulations. For example, extracting, modifying, or destroying data that is not your own, or accessing accounts that do not belong to you, is strictly prohibited.
If you believe you have found a security vulnerability in our systems, please report it to PGE by emailing SOC@PortlandGeneral.com.
In your report, please provide as much relevant information as possible, including:
Description of the vulnerability: It’s scope and severity.
Affected URL, IP, or product: Where the vulnerability occurs (e.g., the website page or API endpoint, software version, device, etc).
Your contact information: (Optional) Your name and the best way to reach you for further questions. You may report anonymously or under a pseudonym if you prefer, but providing contact info allows us to reach out with updates or clarification questions.
Once we receive your report, our security team will review it and respond as quickly as possible. Please do not share the vulnerability information with anyone else or make any public announcements until we have addressed it and given you the go-ahead. We appreciate your patience and cooperation in this responsible disclosure process.
When you submit a vulnerability report to this program in accordance with this policy, we commit to coordinating with you as openly and as quickly as possible.
Acknowledgment: We will acknowledge that we received your report, typically within 3-5 business days. This initial reply will confirm that your report is in our queue for evaluation.
Assessment and fix: Our security team will investigate the issue and verify the vulnerability. We pledge to be as transparent as possible throughout the process. We will let you know our assessment of the severity and the expected remediation timeline. You will receive updates when we have started remediation and when the issue is resolved.
Confidentiality: We will keep your personal information confidential and will not share your identity or report details with third parties without your permission. The only exception would be if we are required by law to reveal it (for example, under a court order), but even in such cases we would inform you if legally permitted. You are free to report issues anonymously if you prefer; however, providing contact information can help us collaborate more effectively.
No financial reward: At this time, Portland General Electric does not offer monetary rewards or bounties for vulnerability reports. Our vulnerability disclosure program is voluntary and goodwill based. We hope that the community will work with us to improve security. While we cannot compensate you financially, your responsible disclosure and any public recognition we can provide will help build your reputation in the security community. (Note: We may consider a formal bug bounty program in the future, but for now we operate a disclosure/recognition model.)
Thank you for helping keep Portland General Electric and our customers safe. We look forward to working with you and hearing from you if you discover a security weakness. Together, through respectful and coordinated disclosure, we can strengthen the security of the energy infrastructure that so many people rely on every day.
Cybersecurity and Infrastructure Security Agency (CISA)
Contact CISA if your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely PGE.