Epson Security Guides & Notifications

Epson Security Manifesto

To ensure security for all its customers, Epson uses unified security frameworks and consistent methodologies throughout the design and delivery of all its products, from office/home devices to commercial/industrial receipt printers and large format printers (LFPs).

Learn more

Security Guidebook for Corporate Products

Strengthen the functional network capabilities of corporate printers and MFP to improve user-friendliness with a variety of security features for computers and servers when connecting to and using a network.

Security Guidebook for Product

Security Guidebook:
  

Click Here

Business Inkjet Printer Function
List and supported models:

Click Here

Large Format Printer Function
List and supported models:

Click Here

Scanner Function
List and supported models:

Click Here

 

Security Whitepaper and Information for Solutions

Security Whitepaper for
Epson Print Admin:

Click Here

Security Whitepaper for
Document Capture Pro Server:

Click Here
 
 

 

Please select a security notification below for details:

Security Notification Product ID Release Date
Insecure Initial Password Configuration in Epson WebConfig Vulnerability -- CVE-2024-47295 01/10/2024
Cross-Site Scripting (XSS) Vulnerability -- CVE-2023-23572 18/09/2023
Vulnerability in Web Config in Printer Products -- Click Here 03/08/2023
Vulnerability in Web Config in Printers and Network Interface Products -- CVE-2023-27520 09/06/2023
Security Measures for Epson Network Products -- Click Here 26/11/2020

Epson Vulnerability Disclosure Policy

Seiko Epson Corporation and its sales companies ("we", "us", "our") collect information on security vulnerabilities in our products and services (the "Products"), investigate their impact and disclose information as necessary to ensure that our customers can use our Products with confidence.

1. Application

This policy applies to all vulnerabilities (*1) reported to us. Customers are requested to read and comply with this policy carefully before reporting vulnerabilities.

*1: Vulnerability for the purposes of this policy is defined as an attack against a product that can adversely affect its confidentiality, integrity or availability.

2. How to report vulnerabilities

If you discover a new vulnerability (undisclosed vulnerability) for your product, please submit a report via the link below.

Report a Vulnerability

3. The process after a vulnerability report

3.1 Acknowledgement of receipt

The customer submitting the report (the "Rapporteur") will receive an acknowledgement of receipt from us within five working days, starting from the day after the day on which the report is sent.

3.2 Identification of vulnerabilities

The received vulnerabilities are checked by our technical team and the results are fed back to the reporter. In some cases, we may decide that the vulnerability is "not covered by the vulnerability response". For example, in the following cases.

  1. Known vulnerabilities.
  2. Product support is no longer available.

 

3.3 Addressing vulnerabilities

If we determine that the product is vulnerable, we will provide the reporter with a fixed module that addresses the vulnerability or provide a workaround. Please note that when we provide a fixed module, we may ask the reporter to confirm that the vulnerability has been properly addressed.

3.4 Vulnerability disclosure.

If it is deemed necessary to inform customers other than the reporter, the security advisory will be posted on the following website as soon as the information can be disclosed, so that customers can implement appropriate measures.

In addition, if the reporting party makes the disclosure, the reporting party is requested to coordinate the content of the disclosure (e.g. not including information that may give the attacker an advantage) and the schedule of the disclosure.

Security Advisery

4. About Rewards

We sincerely appreciate those who take the time and effort to report vulnerabilities in accordance with this policy, but we do not offer any compensation for reporting vulnerabilities. Thank you for your understanding.

5. Prohibitions against the reporter

  • With regard to the disclosure of vulnerabilities The reporting party must not disclose vulnerability-related information to third parties without a valid reason.
    However, if you need to disclose vulnerability-related information for legitimate reasons, please consult us in advance.
  • With regard to when vulnerabilities are discovered and verified Please do not do the following in order to search for and verify vulnerabilities:
    1. Violating applicable laws and regulations
    2. Accessing unnecessary, excessive or voluminous data
    3. Altering data on our systems or services
    4. Using high-intensity invasive or destructive scanning tools to discover vulnerabilities
    5. Attempting or reporting any form of denial of service, such as overwhelming our services with a high volume of requests
    6. Interfering with our services or systems

What is the PSTI (Product Security and Telecommunications Infrastructure) Act?

As of 29 April 2024 it is no longer permissible to sell products that either connect to the internet or connect to internet-connectable product, to consumers in the United Kingdom, unless the respective product complies with the UK Product Security & Telecommunications Infrastructure Act 2022 (UK PSTI).

This means that products impacted by UK PSTI must have a Statement of Compliance accompanying the product, and the same statement needs to be available for the consumer at the point of purchase.

Epson strives to meet the highest standards of quality with its products and as such must remain compliant with changing legislation, therefore Epson has already started labelling products impacted by UK PSTI with a Statement of Compliance.

Statement of compliance

Epson’s statement of compliance will appear as a sticker on each product box. An example of this sticker can be found below:

Which products are affected?

For a product to be impacted it must meet the following 2 conditions:

  1. The product connects to the internet or connects to a product that connects to the internet
  2. The product available in a retail environment

How do I find out if my Epson products are affected?

If the Epson products you hold do not have a sticker with our statement of compliance on the box (see example sticker above), then you can check with your Epson Account Manager.

If you do not have an Epson Account Manager, please get in touch with us by submitting a contact form here.