Security Researchers and Coordinated Disclosure Program
Safety and security is paramount in the aviation industry. Companies welcome the ethical and responsible disclosure of vulnerabilities. We recognize that the researcher community may not always be able to reach the appropriate stakeholder(s) to responsibly disclose a vulnerability. We can facilitate access to aviation companies and assist you in ethically submitting your findings.
Ethical Disclosure Guidelines
Ethical disclosure guidelines are designed to ease the disclosure of potential vulnerabilities in an ethical way and in accordance with the law. They shall not be construed as a permission to infringe any law or to reverse engineer any code or other technology.
Please allow stakeholder(s) the time to assess and fix vulnerabilities before public disclosure.
Disclosure of any vulnerability should comply with the following principles:
Do not cause any harm to the stakeholder(s), its customers, suppliers, partners or any other individuals or companies;
Do not act so as to compromise the safety of any products, their operation, and/or related services;
Do not infringe any applicable intellectual property rights or trade secrets, laws, or regulations;
Do not lock, disclose, destroy or compromise the integrity of the company’s customers and partners’ data
Do not turn a financial transaction into a precondition to the disclosure of potential vulnerability;
Do not breach any applicable data privacy laws and regulations.
Do not exploit or compromise the vulnerability(s) or vulnerable systems.
Need Help Contacting a Company?
If you would like us to facilitate access to help disclose a vulnerability, please complete the form below. We will get back to you within 24 to 36 hours.
Company-Specific Disclosures
AIRBUS
Safety and security of products, services, or assets made by or belonging to AIRBUS are of utmost importance in our industry. AIRBUS welcomes any reports of potential vulnerabilities related to its products, services, or assets that you may submit in good faith and in accordance with these guidelines.
If you are a customer, supplier or contractor of AIRBUS products or services you should contact your Airbus business point directly rather than use this process.
AIRBUS is strongly committed to safety and security and therefore urges you to not do anything that could harm and damage yourself or others.
Send your English language report by encrypted email (please use the following Airbus PGP public key) to: vuln@airbus.com as soon as possible after the discovery of the potential vulnerability together with the following information:
Description of the vulnerability;
Details to reproduce;
Discovery timeline;
Related product, service or asset;
Your contact details including your PGP key.
BOEING
The Boeing Company is committed to maintaining the safety and security of its systems and customers’ information. Boeing encourages earnest, responsible reporting of potential security vulnerabilities in any product, system, or asset made by or belonging to Boeing. Before reporting, please review the Boeing submission process, including guidelines for responsible disclosure and coordination.
Boeing Security Vulnerability Submission Process
If you believe you have found a vulnerability in a Boeing product, system, or asset, please submit the vulnerability information to Boeing through an encrypted communication method. For submission via email, please send an encrypted file detailing your submission. Encrypt your file using the public Boeing PGP/GPG public key.