Alstom Cybersecurity vulnerability management
Alstom recognises the need for effective cybersecurity programs to address our customers’ requirements for safe and secure Products, Solutions and Services and has established a Product Security Incident Response Team (PSIRT) to identify and address vulnerabilities in its Products, Solutions and Services.
This page describes Alstom’s approach for receiving reports related to potential cybersecurity vulnerabilities in its Products, Solutions and Services and Alstom’s standard practice for informing customers and other required stakeholders of verified vulnerabilities.
Alstom customers
If you are or represent a customer of Alstom, please report (or advise the customer to report) potential cybersecurity issues, including any vulnerabilities, to the Alstom contract representative / Project Manager, as identified and in accordance with the customer’s supply or service contract with Alstom to ensure the proper handling and processing of the potential issue.
Security researchers and other vulnerability finders
If you wish to report a potential cybersecurity vulnerability in an Alstom product and/or service, please provide the following information in the English language (if possible):
- Your contact details
- Product, Solution or Service concerned: name/designation, configuration.
- Description of the vulnerability and its potential impact.
- Description of how to reproduce the issue (proof-of-concept or exploit code).
- Description of the conditions for the issue realisation.
Please send this information to the PSIRT e-mail address: psirt@alstomgroup.com
In case of sensitive information, please provide your encrypted report using our PGP key below:
PGP Public Key and Fingerprint: 60EA 8A05 639E EAE3 8D7F D0D0 5691 53A2 A90C 80AD (answers can be signed with this key)
Please note that by submitting this information, you agree that:
- You will refrain from disclosing publicly any information about the vulnerability until Alstom has explicitly agreed to do so.
- You will not engage in any activities related to the discovered vulnerability that could affect Alstom’s customers or suppliers.
- You have not infringed any law or regulation by communicating such information and related data to Alstom.
- You will not take advantage of the security issue.
- ALSTOM may use and distribute the information as required, and you agree that the submission does not create any rights for you or create any obligations for Alstom.
Please only include the information required for ALSTOM to review and handle any potential cybersecurity issue (e.g., a potential vulnerability or breach). Any submitted personal information will be handled in accordance with our privacy notice.
How Alstom responds to a confirmed vulnerability:
Alstom will acknowledge the receipt of the alleged vulnerability to the Reporting Party as soon as the information has been reviewed. Alstom will assess the information provided by the Reporting Party.
If the reported vulnerability is confirmed to be valid, Alstom shall assess such finding with the associated risks of the affected product(s) and service(s) and shall investigate the appropriate countermeasures and develop the necessary resolutions and strategies, including the appropriate steps to be taken with its affected customers and the relevant authorities, where required.
During this phase, we may communicate further with the Reporting Party for additional information.
The Reporting Party may, at Alstom discretion, be informed of the conclusions from such assessments.