Scania Product Security Incident Response Team
Scania’s PSIRT, Product Security Incident Response Teams, is the central contact for external security researcher, partners, and customer to report potentially identified exploitable cybersecurity vulnerabilities in one of Scania’s products or supporting systems.
Scania follows the principle of Coordinated Vulnerability Disclosure which allow us to evaluate a private reported vulnerability or exploit and, if needed, take remedial action before public disclosure.
When and how to contact Scania PSIRT
You should contact Scania PSIRT if a potentially exploitable security vulnerability in one of Scania's products or supporting systems is identified.
Please encrypt all your messages with the PGP key below and include your own public key in the email.
EC6B 9169 C0D0 6F24 D7C1 6843 C30F 99C6 47A3 AFF4
Scania PSIRT prefer, although it is not mandatory, that the following information should be included in the email:
- Contact name and organisation
- Your public PGP key
- Technical description of which Scania product or supporting system the specific action was targeting and the result in as much detail as possible.
- Name of product
- Version information
- Product vendor
- Type of vulnerability, if known
- Vulnerability description
- Confirmation that the Scania Disclosure Guidelines has been read, understood, and approved.
How we handle your report
- Scania’s PSIRT will respond to the reporter of the vulnerability or exploit and acknowledge that the report has been received and make sure that communication is established.
- Investigation of the vulnerability report will be coordinated inside Scania’s organisation. If needed, Scania reserves the right to inform third-party of the vulnerability report. Scania will do its best, if possible, to keep the reporter informed during the process.
- When the internal investigation process is done and remedial action may have been taken, Scania’s PSIRT informs with details from the conclusion of the investigation with the reporter and other stakeholders. The decision of when and where the reporter may publish the vulnerability report is determined on a case-by-case basis.
- At the moment we do not operate any public bug bounty program or offer any reward for submissions. Although the reporter may choose to appear in Scania’s Hall of Fame.
Scania Disclosure Guidelines
Scania takes security concerns seriously and we aim to quickly evaluate and remediate them. We welcome and encourage the community to participate in our responsible vulnerability reporting process although security issues for Scania are of paramount concern and would advise you to follow Scania Disclosure Guidelines.
- Do not publish the report without Scania's confirmation as Scania is responsible to publicly publish any security advisory through the website.
- Provide all the necessary information needed to patch any vulnerability.
- Do not modify or access data that does not belong to you.
- Do not compromise the safety of the vehicle or expose others to an unsafe condition.