Vulnerability disclosure guidelines
The safety and security of products, services or assets made by or belonging to Airbus Netherlands, its customers, suppliers, partners and employees are of the utmost importance to us. We are open to receiving any report about a (potential) vulnerability regarding such safety or security that you encounter, so we can fix it. Therefore, we want to provide you with an easy way of reporting such vulnerabilities. These guidelines are meant for this purpose.
IMPORTANT: If you are a relation of Airbus Netherlands, we ask you to contact your Airbus business point directly rather than use these guidelines for reporting any vulnerability.
|We expect you to act in an ethical and compliant manner
|It is important to stress that we expect you to stay within the boundaries of the law, act ethically and refrain from actions that harm or may harm any company or individual in any way.
|You can report a vulnerability in this way
|Please send your Dutch or English language report by encrypted email (PGP Key Details below) to firstname.lastname@example.org together with the following information:
|These are our PGP Key Details
|User-ID: Responsible Disclosure <email@example.com>
Created: 20-5-2022 11:44
Expires: 20-5-2025 12:00
Type: 4.096-bit RSA
|We will acknowledge receipt of your report
|We will acknowledge receipt of your report in a timely manner. If you do not receive any acknowledgement of receipt from Airbus within 72 hours, we ask you to resubmit your report to ensure we will receive it.
|You can also report a vulnerability anonymously
|We respect the interests of the reporting party and anonymous reports are welcome.
|We do not operate a bug bounty program but will recognize you
|We do not operate a bug bounty program. We do however recognize reporting parties who have brought an acknowledged security or safety vulnerability to our attention, unless you indicate that you do not want that.
|We need time to fix a vulnerability
|We may need time to assess and fix any vulnerability. We ask you to refrain from sharing or publishing any (potential) vulnerability to the public or to third parties until this is done. Please keep in mind that any public disclosure or sharing of information concerning any unresolved (potential) vulnerability may cause harm and expose you to liability.