CERT MICHELIN

CERT Michelin is the dedicated team within the Michelin Group responsible for managing information security incidents that could affect the company. At Michelin, the safety and security of our customers are among our highest priorities. We are committed to designing and delivering products and services with the utmost quality and reliability.

While we strive to implement robust security measures across all our systems, we recognize that vulnerabilities may still exist. This document outlines Michelin’s policy for receiving reports of potential security vulnerabilities in our products and services, as well as our standard procedures for notifying customers about confirmed issues.

Report a vulnerability to Michelin

If you believe you have discovered a security vulnerability in a Michelin Group product or service, please contact us. You can reach us securely at cert[@]michelin.com by using our PGP key to encrypt your message.

• PGP Key ID: 0x24EEA0D0

• Fingerprint: BD118C3B6C13B45223C89AC03E5962EF24EEA0D0

• PGP Key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3e5962ef24eea0d0

CERT Michelin is the team responsible for handling information security incidents that may affect the Michelin Group. To help us effectively analyze, reproduce, and resolve the reported vulnerability, please include the following details in your report:

• A description of the vulnerability and its potential impact

• The date and time of discovery

• The specific asset, endpoint, or URL affected

• A proof of concept with technical details to help us reproduce the issue

• The IP address used during testing

Once we receive your report, we will confirm receipt and begin our internal investigation and remediation process. We appreciate your support in helping us improve the security of our products and services.

Vulnerability disclosure rules

Michelin CERT encourages security researchers to report vulnerabilities responsibly and to adhere to the following responsible disclosure guidelines:

Don't

• Try to interrupt, deny or degrade services

• Try to access any personnal data

• Try phishing attemps

• Try to spam

• Try to do social engineering

• Try to do physical intrusion

• Try to destroy data

• Try to go further the vulnerability(maintain persistency, create account, make lateral movement...)

Out of scope vulnerabilities

• Web misconfigurations: HTTP security headers (CSP, X-FRAME-OPTION, nosniff, cookie settings), Weak SSL/TLS algorithms

• Low vulnerabilities: HTML injection, tabnagging, CSRF on login and logout, user enumeration, bruteforce attacks, attacks targeting outdated browsers, vulnerabilities that require users to perform highly unlikely actions

• Bad practices violations: Disclosure of product/version, error or stacktrace, DKIM/SPF/DMARC related issues, known vulnerable components without a working POC, authentication best practices violations (password complexity, expiration, re-use, etc.)

Reward

Please be advised, that currently, we DO NOT offer any form of bounty for any findings. However, if you wish, we would be happy to acknowledge your contribution by listing your name or nickname on our Hall Of Fame page.

Note

Michelin CERT appreciates your efforts to improve the security of our product and systems by made a reporting.
All aspects of this process are subject to change without notice, as well as to case-by exceptions. No particular level of response is guaranteed for any specific issue or class of issues.

Michelin will process your personal data only to manage your reporting. Your data will be share only to the authorized Michelin’s services and no more than 5 years. To exercise your access, deletion or other rights, you can contact us at the email address: CERT[@]michelin.com. Learn more about how Michelin manage personal data.