Thales banner

How to Report a Security Vulnerability

Our response times may be increased due to COVID-19. Please be patient.

As part of Thales commitment to product security, Thales Digital Identity and Security(DIS), Cloud Protection and Licensing (CPL) values the work that security researchers and professionals put into improving the security of our products. We are committed to working with the community through coordinated and reasonable disclosure guidelines, as described below. If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.

Please email your findings to CPL Security Response Team. Encrypt your report using the [ PGP Key], to prevent critical information from being accidentally disclosed.

Do provide as much of the following information as possible:

  • Product Name, version, and operating environment;
  • Type and impact of the issue;
  • The configuration/state required to reproduce the issue;
  • A compressed archive file containing proof of concept code, scripts, or other data which facilitates the reproduction of the issue;
  • Name and additional contact details (optional).

Do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, or deleting/modifying other people's data. Do not use attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties or reveal the issue to others until it has been resolved.

We will handle all reports with strict confidentiality, and will not pass on your personal data to third parties without your permission. We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.