In accordance with its information security policy, ACTIA aims to provide secure products and services, as well as to protect its assets, those of its customers and partners.
This document describes ACTIA’s policy for managing security vulnerabilities reported by third parties.
REPORT A VULNERABILITY
ACTIA is encouraging people to report security vulnerabilities concerning products and services provided by ACTIA or assets managed by ACTIA. If you believe that you have identified such potential security vulnerability, please contact us at: vulnerability-report[at]actia.fr
The content of your email must be encrypted using the ACTIA PGP/GPG key to protect the confidentiality of transmitted information.
ACTIA PGP/GPG public key:
- Download PGP public key file Vulnerability-report-pub
89318e4f10c45b824d6896966b21887ff95cb981b27c1ab2ef03a6949cc68e7d (SHA256 hash of the PGP public key file)
- You can use any encryption software which supports PGP/GPG keys. GnuPG is an example of such software.
When reporting, please provide us following information:
- Name of the submitter, knowing that, in case you want to remain anonymous, we would respect your interests.
- Contact details on how to contact you for more information about your report or to give you updates on the treatment process.
- Your PGP/GPG public key, in order to communicate back to you securely.
- Description of the vulnerability:
- Affected product, including model and version of firmware (if available), or URL address for websites vulnerabilities.
- Technical details, including network traces, proof-of-concept or exploit code if available. Potential impacts of the vulnerability and any other information available.
- Any publicly available information of previous disclosure of this vulnerability.
Please take into consideration the following information before reporting:
- We are commited to handle vulnerability reported in compliance whit this policy, only for emails written in English or French. For emails written in other languages, we will handle them as best effort, without commitment.
- Use a subject name that doesn’t provide sensitive information about the vulnerability.
- We kindly ask you to read and take into account our private disclosure model (see below).
- Please contact us for clarification before engaging any actions that may be inconsistent or unaddressed by the policy.
HANDLING PROCESS OF VULNERABILITY REPORTED
During all phase of this process, ACTIA will maintain a regular communication with reporting party and further communication with the reporter could take place to request for more information or further details.
As soon as a vulnerability report is received, ACTIA send acknowledgement to the reporter, verify the information received and start a first analysis.
A detailed investigation is performed to understand the root cause and possible methods of exploitation and assess the related risk.
If a fix or mitigation is possible and necessary to address the vulnerability, a remediation plan is prepared, and a mitigation strategy is established. As far as possible, ACTIA will work with the reporter to verify and review fixes.
PRIVATE DISCLOSURE MODEL
ACTIA apply a private disclosure strategy, meaning that informations related to vulnerability need to be transmitted by reporter only to ACTIA through contact references described in this policy.
Reporter is required to not disclose publicly or to third-parties any found vulnerabilities, as this could cause harm to Actia and others stakeholders.
We respect the interests of the reporting party and agree to address any vulnerability that is reasonably believed to be related to our products or services or other assets.
ACTIA is committed to provide a response to the reporting party as soon as possible with indication of timeline to carry out triage, validation and possible remediation of submitted information.
DISCLOSURE REQUIREMENTS AND GUIDELINES
This vulnerability disclosure program is establishing a safe harbour for vulnerability reporting and security research related to ACTIA products, services or assets, among ones listed below:
- ACTIA embedded ECU and their software,
- ACTIA smart screens,
- ACTIA diagnostic applications,
- ACTIA websites,
- Any other system developed by ACTIA that is present in a product that you own or are authorized to test against.
ACTIA agrees not to pursue any legal actions against reporting parties providing the following:
- The reporting party does not violate any criminal law,
- The research does not cause harm to Actia, its customers, employees or any other third-party,
- The reporting party does not compromise the privacy or safety of our customer or the operation of our services,
- The reporting party does not use, retain, alter or destruct any data it might access during its research,
- The reporting party does not conduct any security research on an out-scope product (scope of the program is described above in this document),
- The reporting party does not conduct any activities involving social engineering, phishing attack or spam,
- The reporting party does not conduct denial-of-service or resource-exhaustion attacks.
By submitting a report through this website, the reporting party agrees not to disclose to a third-party the vulnerability reported, associated work research nor the fact that a vulnerability has been reported to ACTIA, in accordance with private disclosure policy described above. This statement applies regardless of whether ACTIA had prior knowledge of the information.