Coordinated Vulnerability Disclosure

At Air France, the security of our systems and data is a top priority. Despite our best efforts, breaches can still occur. That is why we ask for your help in keeping our systems secure. If you discover a vulnerability, please report it to us directly so we can address it as quickly as possible. This process is known as Coordinated Vulnerability Disclosure, or CVD.

Do’s:

  • Submit your findings onZerocopterto inform us of any vulnerabilities you have identified. This page also outlines which areas and types of vulnerabilities are considered in or out of scope. 
  • Report your findings in a way that maintains confidentiality, ensuring others cannot access the information. 
  • Report the vulnerability as soon as possible to reduce the risk of it being exploited. 
  • Provide enough detail for us to reproduce and resolve the issue. Typically, the system’s IP address or URL and a description of the vulnerability are sufficient. More complex issues may require additional explanation. 

Don’ts:

  • Do not exploit the vulnerability you discovered. For example, avoid downloading more data than necessary to demonstrate the issue, or deleting or modifying any of our data. 
  • Do not disclose the vulnerability to others until it has been fully resolved. 
  • Do not use the vulnerability to carry out attacks related to physical security, social engineering, denial-of-service (DoS), spam, or third-party (web) applications. 
  • Do not access the system repeatedly or share access with others. 
  • Do not run automated scans on our infrastructure or systems. 
  • Do not use brute-force techniques to gain access to systems or data—this is not considered a valid vulnerability. 

Our commitments:

  • We offer a reward for each previously unknown vulnerability disclosure as a token of our appreciation. The reward amount depends on the severity of the vulnerability. Payment will be made once the report is marked as “resolved.” 
  • We will keep you informed of the resolution progress through Zerocopter. 
  • We will handle your report confidentially and will not share your personal information with third parties without your consent, unless required by law or court order. 
  • We will not pursue legal action if you follow this disclosure procedure responsibly.