Product Security Incident Response

Thales PSIRT plays a crucial role in managing cybersecurity incidents related to data leaks and vulnerabilities affecting Thales Group’s products and services.

Thales is committed to providing its customers with the necessary assurance regarding the security functions and capabilities of its products and services

For this reason, Thales PSIRT plays this central role of handling incidents, including data leaks and vulnerabilities, impacting Thales Group’s products and services.

Thales PSIRT's scope is all products and services of Thales Group entities, subsidiaries, and joint ventures.

© 123RF

Vulnerability Management

Thales pays a special attention in discovering and remediating potential vulnerabilities that may affect the security of Thales’ products and services.

In this context, Thales provides a contact point to people wishing to communicate potential vulnerabilities, practicing the Responsible Disclosure model. Such dedicated public entry point (psirt(at)thalesgroup[.]com) shall help reporters reaching out to the dedicated team. 
Thales PSIRT ensures proper triage of reports across the various entities of Thales.

Responsible disclosure

The Responsible Disclosure model implies the qualification and the impact assessment of the reported security issues.
Once confirmed, the reporter is informed of Thales’s investigation and an embargo period is agreed, to mitigate the risks for customers and end users.

Each reporter commits to the following:

  • Do not take advantage of the security issue discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, or by deleting/modifying data.
  • Do not disclose the issue until it has been resolved and without Thales’s consent.
  • Do not perform attacks like social engineering, denial of service, physical site intrusion, spam, or applications of third parties.

To report a potential vulnerability or data leak that impacts a Thales Group product or service, please contact Thales PSIRT by sending an email to psirt(at)thalesgroup[.]com.

To notify us about a cybersecurity incident involving a Thales infrastructure, please refer to Thales CERT page.

In case of sensitive information, please encrypt your email using PGP:

Thales PSIRT PGP Key

  • ID: 0x8448AE39
  • Hash: FC3C 4520 576E C756 AE73 0030 5369 49C4 8448 AE39

All sales prospection emails will be ignored.

Confidentiality notice

Thales will handle the communicated information securely and will enforce industry standards to keep them confidential.

However, it is the reporter’s responsibility to assess the transmitted data to ensure it does not infringe any law or regulation that would apply to this data. In case of any doubt, Thales recommends not to transmit such information through this channel and to wait until Thales reply to jointly agree on such transmission.

The reporter’s personal data is only used for actions related to the reported security vulnerabilities. It will not be disclosed to third parties without the reporter's permission, unless required by law.

Thales group and CVE program

© Thales

Since October 2021, Thales PSIRT is operating as a CVE Numbering Authority (CNA).

Its scope is:

  • Thales Group branded products and technologies,
  • products and technologies of Thales Group’s subsidiaries,
  • vulnerabilities in third-party software discovered by Thales Group and subsidiaries that are not in another CNA’s scope.
     

Since January 2025, Thales Group is part of CVE Program’s Roots.

Its scope is to support the federation model of the CVE Numbering Authority Program, and to get a more consistent organization, Thales Group is becoming the Root for Thales subsidiaries.

As part of this Program, Thales PSIRT is also performing the role of CNA-LR (CNA of Last Resort).

Thales Group and CVE Program

© Thales

Appeal Process

Parties who contend that a CNA attached to Thales Group Root is not in compliance with the CNA rules (e.g., not responding in a timely manner, refusing to assign a CVE ID to a vulnerability, not populating a CVE record in a timely manner, etc.) may contact Thales Group Root about the issue. 

Thales Group Root will then evaluate the report and take any necessary actions.

See the CNA Rules for a high-level description of the process.

  • Thales Group Root will be the point of contact for escalation of issues regarding its CNAs.
  • Thales Group Root will address CVE assignment issues from its CNAs that require escalation.
  • To contact Thales Group Root regarding an issue, send a detailed message with your questions, issues, and comments to cna-coordinator(at)thalesgroup[.]com.
  • Thales Group Root will respond with an acknowledgement within 3 working days.
  • Thales Group Root will contact the appropriate entities (relevant CNA and requestor) to collect relevant information to the issue.
  • After all the information is recollected, Thales Group Root will communicate its decision to all relevant parties once the disagreement or appeal has been fully considered. This result is final.
  • Disputes will be clearly documented in the CVE Entry if a CVE ID is assigned as the result of an escalated issue.
Report an issue about a CNA CNA rules

Find out more