CERT MICHELIN
CERT Michelin is the dedicated team within the Michelin Group responsible for managing information security incidents that could affect the company. At Michelin, the safety and security of our customers are among our highest priorities. We are committed to designing and delivering products and services with the utmost quality and reliability.
While we strive to implement robust security measures across all our systems, we recognize that vulnerabilities may still exist. This document outlines Michelin’s policy for receiving reports of potential security vulnerabilities in our products and services, as well as our standard procedures for notifying customers about confirmed issues.
Report a vulnerability to Michelin
If you believe you have discovered a security vulnerability in a Michelin Group product or service, please contact us. You can reach us securely at cert[@]michelin.com by using our PGP key to encrypt your message.
PGP Key ID: 0x24EEA0D0
Fingerprint: BD118C3B6C13B45223C89AC03E5962EF24EEA0D0
PGP Key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3e5962ef24eea0d0
CERT Michelin is the team responsible for handling information security incidents that may affect the Michelin Group. To help us effectively analyze, reproduce, and resolve the reported vulnerability, please include the following details in your report:
A description of the vulnerability and its potential impact
The date and time of discovery
The specific asset, endpoint, or URL affected
A proof of concept with technical details to help us reproduce the issue
The IP address used during testing
Once we receive your report, we will confirm receipt and begin our internal investigation and remediation process. We appreciate your support in helping us improve the security of our products and services.
Vulnerability disclosure rules
Michelin CERT encourages security researchers to report vulnerabilities responsibly and to adhere to the following responsible disclosure guidelines:
Don't
Try to interrupt, deny or degrade services
Try to access any personnal data
Try phishing attemps
Try to spam
Try to do social engineering
Try to do physical intrusion
Try to destroy data
Try to go further the vulnerability(maintain persistency, create account, make lateral movement...)
Out of scope vulnerabilities
Web misconfigurations: HTTP security headers (CSP, X-FRAME-OPTION, nosniff, cookie settings), Weak SSL/TLS algorithms
Low vulnerabilities: HTML injection, tabnagging, CSRF on login and logout, user enumeration, bruteforce attacks, attacks targeting outdated browsers, vulnerabilities that require users to perform highly unlikely actions
Bad practices violations: Disclosure of product/version, error or stacktrace, DKIM/SPF/DMARC related issues, known vulnerable components without a working POC, authentication best practices violations (password complexity, expiration, re-use, etc.)
Reward
Please be advised, that currently, we DO NOT offer any form of bounty for any findings. However, if you wish, we would be happy to acknowledge your contribution by listing your name or nickname on our Hall Of Fame page.
Note
Michelin CERT appreciates your efforts to improve the security of our product and systems by made a reporting.
All aspects of this process are subject to change without notice, as well as to case-by exceptions. No particular level of response is guaranteed for any specific issue or class of issues.
Michelin will process your personal data only to manage your reporting. Your data will be share only to the authorized Michelin’s services and no more than 5 years. To exercise your access, deletion or other rights, you can contact us at the email address: CERT[@]michelin.com. Learn more about how Michelin manage personal data.
Notify us about a cyber incident/threat involving Michelin
If you become aware of any personal data leaks or other security threats involving the Michelin Group, please report them to us by email at CERT[@]michelin.com.
If you need to share sensitive information, we strongly encourage you to use our PGP key for secure communication.
Please note: This contact channel is strictly for security-related matters. For general or technical support regarding Michelin services, kindly use the appropriate support channels.