Vulnerability Disclosure Policy

2. Scope

This disclosure policy applies only to vulnerabilities related to:

• The digital infrastructures, service platforms, applications, and products developed by Orange Cyberdefense.

• Orange Cyberdefense services accessible via the internet, as well as exposed internal systems.

• Any vulnerability that may affect the confidentiality, integrity, or availability of Orange Cyberdefense data.

We consider vulnerabilities in this scope when they meet the following conditions:

• They have not been previously reported or have not already been discovered by our own internal procedures (e.g., linked to a third-party editor)

• Reports show that our systems do not fully conform to 'best practices' (e.g., security headers are missing)

• It can be demonstrated that the exploitation of the reported vulnerability could have a significant impact on OCD, our users, or our customers, but theoretical impacts are excluded from the scheme's scope.

• Domains are related to “Orange Cyberdefense Group” (*.orange.com and *.orange-business.com domains are excluded of this scope)

In the context of detecting and reporting vulnerabilities in Orange Cyberdefense environments, we are committed to collaborating with you to understand and resolve issues promptly.

We encourage you to report any potential security issues in our systems in accordance with the guidelines of this policy.

3. Reporting Procedures

If you have identified a vulnerability, please send an email to: vulnerability@orangecyberdefense.com

In your report, please include the following information:

• A detailed description of the encountered vulnerability
• The affected scope (name of the service, product, or infrastructure)
• Date of discovery of the issue
• Any information that allows us to reproduce the problem (proof of concept if possible)
• The potential impact of exploiting the vulnerability, preferably using the CVSS v3.1 or 4.0 standard
• Any additional technical elements such as scripts or network traces
• Your contact information so we can reach you if needed

We recommend encrypting your communications using our public PGP key to ensure the confidentiality of the exchanges.

4. Our Commitments

We are committed to :

• Acknowledging receipt of your report within 5 business days.
• Actively working on the resolution of the vulnerability and providing a fix as soon as possible.
• Process the personal data you provide (name, email address) in accordance with applicable data protection legislation and do not disclose your personal information to any third party without your permission.
• Publicly recognizing your contribution, if you wish, once the fix is deployed.
• Treating your report with strict confidentiality.

5. Commitments of Security Researchers

We ask individuals reporting vulnerabilities to adhere to the following principles:

• Do not publicly disclose the vulnerability before a fix is implemented, unless there is mutual agreement.
• Use only non-intrusive techniques to validate the existence of a vulnerability.
• Do not exploit the vulnerability to access other systems or services, nor establish persistent access (e.g., backdoors).
• Do not use phishing or social engineering techniques against our employees or partners.
• Do not conduct tests that affect the availability of systems. Never perform denial-of-service attacks.
• Do not inject malicious content into our systems, applications, or services (viruses, worms, trojans, etc.).
• Do not modify, destroy, or exfiltrate data from Orange Cyberdefense systems.
• Do not exploit the vulnerability for malicious purposes or for personal gain.
• Comply with all applicable laws and regulations.

6. Disclosure process

Orange Cyberdefense recognizes the importance of the work of security researchers and experts and sincerely thanks them for their efforts and participation in this policy.

As of now, we do not have a reward program and do not offer financial compensation for vulnerability reports.

However, once the vulnerability is resolved, we can coordinate a joint publication with the researcher if they wish. We reserve the right to publish a security notice to inform our clients and partners while anonymizing the researcher's name if they prefer.

7. Legalities

This control procedure aligns with standard good practices in ethical security research and does not permit actions that violate the law or cause Orange Cyberdefense to be in breach of any of its legal obligations.

We are committed to not pursuing legal action against researchers who adhere to the principles of this policy and act in good faith to improve the security of our systems.

9. Vulnerability advisories

All security bulletins are available at the following address:

• See the security bulletins for Orange Cyberdefense products.

https://advisories.orangecyberdefense.com