CERT MICHELIN

CERT Michelin is the team within Michelin Group that handles information security incidents which could impact Michelin company.
We consider that the safety and security of our customers is one of the top priorities.
Therefore, we design and make products and services with the best quality and reliability possible. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our products, services and systems.
This document describes Michelin’s policy for receiving reports related to potential security vulnerabilities in its products and services and the company’s standard practice with regards to informing customers of verified vulnerabilities.

1. Report a Michelin vulnerability

Please, contact us if you have think you have found a vulnerability in a Michelin group products or services.
In order to do so please reach us at cert[@]michelin.com using our PGP key ID and its fingerprint to encrypt to mail.
Key ID is 0x24EEA0D0 and fingerprint is: BD118C3B6C13B45223C89AC03E5962EF24EEA0D0 PGP Key could be found on https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3e5962ef24eea0d0

Michelin CERT is the team that handles information security incidents which could impact Michelin company. In order to help us reproduce, triage and remediate the vulnerability, please, provide us the following informations.

  • Description of the vulnerability and what can be the impact for us

  • Date/time of the discovery

  • The asset/endpoint/URL wich is concern by the vulnerability

  • Proof Of Concept with technical details to help us reproduce the vulnerability.

  • The IP used for testing

After receiving your report, we will contact you back to acknowledge the reception of the vulnerability and start the remediation process on our side.

Vulnerability disclosure rules


Michelin CERT encourage researchers to report vulnerabilities and to comply with the following responsible disclosure guidelines:

Don't

  • Try to interrupt, deny or degrade services

  • Try to access any personnal data

  • Try phishing attemps

  • Try to spam

  • Try to do social engineering

  • Try to do physical intrusion

  • Try to destroy data

  • Try to go further the vulnerability(maintain persistency, create account, make lateral movement...)

Out of scope vulnerabilities

  • Web misconfigurations: HTTP security headers (CSP, X-FRAME-OPTION, nosniff, cookie settings), Weak SSL/TLS algorithms

  • Low vulnerabilities: HTML injection, tabnagging, CSRF on login and logout, user enumeration, bruteforce attacks, attacks targeting outdated browsers, vulnerabilities that require users to perform highly unlikely actions

  • Bad practices violations: Disclosure of product/version, error or stacktrace, DKIM/SPF/DMARC related issues, known vulnerable components without a working POC, authentication best practices violations (password complexity, expiration, re-use, etc.)

Reward

Please be advised, that currently, we DO NOT offer any form of bounty for any findings. However, if you wish, we could add your name or nickname to our hall of fame page.

Note

Michelin will process your personal data only to manage your reporting. Your data will be share only to the authorized Michelin’s services and no more than 5 years. To exercise your access, deletion or other rights, you can contact us at the email address: CERT[@]michelin.com. Learn more about how Michelin manage personal data.

Michelin CERT appreciates your efforts to improve the security of our product and systems by made a reporting.
All aspects of this process are subject to change without notice, as well as to case-by exceptions. No particular level of response is guaranteed for any specific issue or class of issues.

2. Notify us about a cyber incident/threat involving Michelin

If you are aware of any personnal information data leaks that may concern Michelin group(or any other threat), please send us an email to CERT[@]michelin.com
If you need to send us information in a secure manner, please use our PGP key.
Please, do not contact us for technical support on our services.