Vulnerability disclosure guidelines

Vulnerability disclosure guidelines

The safety and security of products, services or assets made by or belonging to Airbus Netherlands, its customers, suppliers, partners and employees are of the utmost importance to us. We are open to receiving any report about a (potential) vulnerability regarding such safety or security that you encounter, so we can fix it. Therefore, we want to provide you with an easy way of reporting such vulnerabilities. These guidelines are meant for this purpose.

IMPORTANT: If you are a relation of Airbus Netherlands, we ask you to contact your Airbus business point directly rather than use these guidelines for reporting any vulnerability.

We expect you to act in an ethical and compliant manner It is important to stress that we expect you to stay within the boundaries of the law, act ethically and refrain from actions that harm or may harm any company or individual in any way.
You can report a vulnerability in this way Please send your Dutch or English language report by encrypted email (PGP Key Details below) to responsibledisclosure@airbusds.nl together with the following information:

  • Description of the vulnerability;
  • Details to reproduce;
  • Discovery timeline;
  • Related product, service or asset;
  • Your contact details including your PGP key, if not reporting anonymously.
These are our PGP Key Details User-ID: Responsible Disclosure <responsibledisclosure@airbusds.nl>

Created: 20-5-2022 11:44

Expires: 20-5-2025 12:00

Type: 4.096-bit RSA

Fingerprint: 7D6718C59E7F5FB41B2D2BE360A43C0A7CAF0ED9

download public key

We will acknowledge receipt of your report We will acknowledge receipt of your report in a timely manner. If you do not receive any acknowledgement of receipt from Airbus within 72 hours, we ask you to resubmit your report to ensure we will receive it.
You can also report a vulnerability anonymously We respect the interests of the reporting party and anonymous reports are welcome.
We do not operate a bug bounty program but will recognize you We do not operate a bug bounty program. We do however recognize reporting parties who have brought an acknowledged security or safety vulnerability to our attention, unless you indicate that you do not want that.
We need time to fix a vulnerability We may need time to assess and fix any vulnerability. We ask you to refrain from sharing or publishing any (potential) vulnerability to the public or to third parties until this is done. Please keep in mind that any public disclosure or sharing of information concerning any unresolved (potential) vulnerability may cause harm and expose you to liability.