Thales PSIRT’s role as CNA in the CVE Program
Since October 2021, Thales PSIRT is operating as a CVE Numbering Authority (CNA).
Scope:
- Thales Group branded products and technologies,
- products and technologies of Thales Group’s subsidiaries,
- vulnerabilities in third-party software discovered by Thales Group and subsidiaries that are not in another CNA’s scope.
Vulnerability Management Policy
Thales is committed to providing its customers with the required levels of assurance in the security functions and capabilities of its products and services.
Regarding the management of vulnerabilities, Thales pays a special attention in discovering and remediating potential vulnerabilities that may affect the security of Thales’s products and services.
In this context, Thales provides a contact point to people wishing to communicate potential vulnerabilities, practicing the Responsible Disclosure model. Such dedicated public entry point (psirt@thalesgroup.com) shall help reporters reaching out to the dedicated team. The Thales global PSIRT ensures proper triage of reports across the various entities of Thales.
Responsible Disclosure
The Responsible Disclosure model implies the qualification and the impact assessment of the reported security issues.
Once confirmed, the reporter is informed of Thales’s investigation and an embargo period is agreed between Thales and the reporter to mitigate the risks for Thales’s customers and end users.
Each reporter commits to the following:
- Do not take advantage of the security issue discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, or by deleting/modifying data.
- Do not disclose the issue until it has been resolved and without Thales’s consent.
- Do not use attacks on physical security, social engineering, denial of service, spam, or applications of third parties.
Confidentiality Notice
Thales will handle the communicated information securely and will enforce industry standards to keep the transmitted information confidential.
However, it is the reporter’s responsibility to assess the transmitted data to ensure it does not infringe any law or regulation that would apply to this data. In case of any doubt, Thales recommends not to transmit such information through this channel and to wait until Thales reply to jointly agree on such transmission.
The reporter’s personal data is only used to undertake actions with regard to your reported security vulnerabilities. We will not disclose your personal information to third parties without your permission, unless required by law.
Report Vulnerabilities
To report a potential vulnerability that impacts Thales products or services, please contact Thales PSIRT by sending an email to psirt@thalesgroup.com.
In case of sensitive information, please encrypt your email using PGP.
ID: 0x8448AE39
Hash: FC3C 4520 576E C756 AE73 0030 5369 49C4 8448 AE39
Thales Group’s role as Root in CVE Program
Scope: To support the federation model of the CVE Numbering Authority Program, and to get a more consistent organization, Thales Group is becoming the Root CNA for Thales subsidiaries.
CNA of Last-Resort
Thales Group Root will also perform the role of CNA-LR. This function will be supported and coordinated by Thales PSIRT.
Disclosure Policy
Thales Group Root disclosure policy is the one promoted by Thales PSIRT.
Appeal Process
Parties who contend that a CNA attached to Thales Group Root is not in compliance with the (e.g., not responding in a timely manner, refusing to assign a CVE ID to a vulnerability, not populating a CVE record in a timely manner, etc.) may contact Thales Group Root about the issue. Thales Group Root will then evaluate the report and take any necessary actions.
See the for a high-level description of the process.
- Thales Group Root will be the point of contact for escalation of issues regarding its CNAs.
- Thales Group Root will address CVE assignment issues from its CNAs that require escalation?
- To contact Thales Group Root regarding an issue, send a detailed message with your questions, issues, and comments to cna-coordinator@thalesgroup.com.
- Thales Group Root will respond with an acknowledgement within 3 working days.
- Thales Group Root will contact the appropriate entities (relevant CNA and requestor) to collect relevant information to the issue.
- After all the information is recollected, Thales Group Root will communicate its decision to all relevant parties once the disagreement or appeal has been fully considered. This result is final.
- Disputes will be clearly documented in the CVE Entry if a CVE ID is assigned as the result of an escalated issue.