Vulnerability Disclosure Policy

Computer systems are exposed to threats and attacks with potentially dramatic consequences. It is essential to ensure the protection of these computer systems to guarantee their safety and security.
The products we supply are often at the heart of sensitive environments, in automated process control or in systems designed to ensure people safety and property security. As such, we design our products by following processes and using technologies that contribute to the security of those systems. However, despite our best efforts, our products may contain vulnerabilities susceptible to jeopardize the security of the systems in which they are integrated.
ARC Informatique’s vulnerability disclosure policy addresses the handling of security vulnerabilities affecting ARC Informatique’s products and services (collectively designated as ‘Product’). It is designed to ensure vulnerabilities are qualified, their impact assessed, and that accurate information is provided in a timely fashion to assist asset owners in keeping their systems safe and secure.
ARC Informatique adheres to the principles of responsible disclosure and is committed to collaborating with researchers, CERTs, product users and authorities. Everyone is encouraged to report findings. We expect finders, either an individual or an organization who has found a potential vulnerability, to adhere to the same principles. ARC Informatique requests that finders undertake not to disclose the vulnerability without ARC Informatique’s consent until it has been resolved, not to use the vulnerability for exploitation beyond the minimum necessary to demonstrate it, and not to take advantage of the vulnerability discovered in ways that may have harmful consequences.

As a CNA for its Product & Services, the Incident Response team at ARC Informatique operates under the CVE Numbering Authority rules.
Within the context of this policy, a vulnerability is a software weakness that can be abused to cause unintended behavior, with a potential impact on the safety or security of an affected system. We leverage feedback to design safer and more secure Products.

1. Reporting

To report a security vulnerability, you can contact ARC Informatique using the point of contact described in the Contact section.
When submitting a vulnerability report, we expect the finder to provide at least the following information:

  • Name of the Product with its build number and the affected component
  • Detailed description of the potential vulnerability and its impact
  • Installation or configuration prerequisites
  • Proof-of-concept or exploit code if available
  • Step-by-step instructions
  • Any other relevant information

ARC Informatique handles the reported information securely and applies industry standards to keep the information confidential.
The finder’s personal data is only used to undertake actions regarding the reported security vulnerabilities. We will not disclose your personal information to third parties without permission, unless required by law.

2. Evaluation

ARC Informatique commits to acknowledging a received report within 5 business days.
Our teams investigate the reported vulnerability. If needed, we may request additional information and conduct a risk assessment considering the typical setup of the affected Product.The progress and conclusions of the analysis are shared with the finder, and a preliminary CVSS scoring is performed.
An early warning notification process is in place for ARC Informatique to fulfill its legal and contractual requirements whenever applicable.

3. Mitigation & patches

Whenever possible, ARC Informatique develops a patch fixing the root cause of the vulnerability and provides mitigation measures.
The finder is informed of the progress and can be involved in the validation of the patch and proposed mitigation measures.
Until the end of the embargo period, and with the sole purpose of limiting the risks for asset owners, the finder commits not to disclose any information.

4. Disclosure

As soon as a remediation is available, whether it is a set of mitigation measures or a patch, ARC Informatique prepares and coordinates the publication of a security bulletin. Security bulletins are made available publicly on the web site of ARC Informatique.
A CVE is assigned to vulnerabilities before publication whenever applicable.
A security bulletin contains the following information:

  • General description of the vulnerability, including the CVSS score and the associated CVE Id
  • Impact in case of exploitation
  • Affected Products and versions
  • Description of the mitigation measures if any
  • Description of the patches and instructions for their deployment

With the agreement of the finder, credit is given for responsible reporting and collaboration.

5.Contact

Feel free to contact us if you want to report a safety or security vulnerability.
Useful information to be included in your report are detailed in the Reporting section.
Our teams can be reached with reports in English or French, our offices are located in France.
Email: secure@arcinfo.com
PGP public key file
PGP Fingerprint: f45a2e7a8e04f94c6a1d88545bfdce3cc7730f2

6. Useful links