CVE Responsible Disclosure Policy

TCS-CERT (Thales Cyber Solutions Customer's CERT) is a certified team of TF-CSIRT Trusted Introducer, member of FIRST, CERT.LU initiative and Belgian Cyber Coalition.

As a Computer Emergency Response Team (CERT), TCS-CERT is committed to share with peers and constituencies the identified vulnerabilities in vendors' products.

Reporting a vulnerability to a vendor is a way to improve cybersecurity globally. It allows users to be notified of the issue and let them perform the appropriate remediation. Conversely, the reporting must be performed with care to avoid giving knowledge of potential victims of attackers.

Whenever a new vulnerability is discovered and reported, TCS-CERT will oversee the public disclosure. TCS-CERT uses a responsible disclosure process to inform the vendors in coordination with the Vendor/Vendor's PSIRT (Product Security Incident Response Team) and MITRE.

If requested, during this process, Thales' clients are kept informed of the vendor feedback, the proposed action plan, and the timeline for the mitigation of the issues.

No matter how and who discovered the vulnerability, TCS-CERT will not, in any case, reveal the customer's name from which the finding was made.

If the vendor wishes to publish the CVE by itself, and/or if the vendor is an official MITRE CVE Numbering Authorities (CNA), TCS-CERT's would accompany them until the end of the process when the vulnerability is registered and disclosed on the vendor's website, MITRE's CVE and on Thales Cyber Solutions' website advisory page.

Up to ten (10) days are allowed for the point of contact to acknowledge the finding. After which, TCS-CERT will start the CVE registration process, no matter if the acknowledgment was given.

Any vulnerability will be registered to MITRE So that the vulnerability is associated with a CVE Identifier (CVE ID), formed as follow: "CVE-YYYY-DDDD" (YYYY being the registration's year, and DDDD a number attributed by MITRE).

A thirsty (30) days period is allowed for the vendor to work on a fix. This grace period can be extended, on-demand and only if backed-up by strong technical explanations, to ninety (90) days at most.

Any CVE that TCS-CERT reported to a vendor will, once a fix is made available (or the grace period expired) leading to its public disclosed, be referenced on TCS-CERT website advisory page with the MITRE's CVE ID. MITRE vulnerability registration will be updated with available information from the vendor's PSIRT, if any.

Vendors are kindly asked to refer in their public disclosure:

to this webpage (using the URL https://cds.thalesgroup.com/en/tcs-cert/advisory/<MITRE-CVE-ID>)

To the finder's name (only when requested).

TCS-CERT never discloses information that could directly help third parties exploiting a vulnerability in a product.

In case the vendors solicitations, the vulnerability will be responsibly disclosed 90 day after TCS-CERT notified incident response teams of the groups to which TCS-CERT belongs.

Thales products security advisories.

To report a potential vulnerability that impacts Thales products or services, please contact Thales PSIRT by sending an email to psirt@thalesgroup.com.

Thales products vulnerabilities are published here;

https://www.thalesgroup.com/en/global/group/psirt/thales-product-security-advisories

TCS-CERT - Security advisory

On the table below you can find TCS-CERT's published and reported vulnerabilities.