Vulnerability Disclosure Policy

The Sentient Security Incident Response Team (SIRT) manages all security information related to Sentient products, websites and infrastructure, and is the central point of contact for hackers, security researchers, customers, suppliers and partners. The contents of this page constitutes the Sentient vulnerability disclosure policy.

Responsible vulnerability disclosure

Responsible disclosure of vulnerabilities has longer-term benefits because it allows us to fix vulnerabilities, inform customers about fixes, and continuously improve security in Sentient products, services and infrastructure.

Sentient is committed to working with the security community to verify, reproduce and respond to legitimate vulnerabilities. Sentient aims to handle potential vulnerabilities in accordance with ISO/IEC 301111 and ISO/IEC 29147 to the extent it is possible.

If you have any questions or concerns regarding Sentient security, or believe you have identified a vulnerability or a data protection issue, please do not hesitate to contact us.

Before you get started

Sentient will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following:

1. Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of services.
2. Do not modify or access data that does not belong to you.
3. Alter only components that you own or have permission to access.
4. Do not compromise safety in a way that may expose others to an unsafe condition.
5. Provide reasonable time to correct the issue before making any information public.
6. Do not perform any kind of denial-of-service attack, distributed or otherwise.

Scope

The following is explicitly in scope:

• Currently supported software and hardware products developed and delivered by Sentient
• Infrastructure and services connected to the sentientplus.com domain

The following is explicitly out of scope:

• Products for which the end of cybersecurity support has been communicated
• Adjacent software or hardware not developed or delivered by Sentient (such as another ECU by design capable of sending commands to a Sentient ECU)
• Infrastructure and services not connected to the sentientplus.com domain

What this means is that an attack vector that includes vehicle interfaces should typically be reported to the vehicle manufacturer. Sentient will of course work with any vehicle manufacturer to solve security issues related to any Sentient technology, so please do not hesitate to reach out if you are unsure about who the responsible party is.

Contact

Please encrypt all sensitive information sent to us using our PGP/GPG key.

Sentient SIRT PGP/GPG fingerprint
1CB3 139B 8262 18DE B041 E90F F7AF 9602 9973 1FAF

Sentient SIRT public key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQGNBGVl+/0BDAC+DQ7lw39XvS+89ThqYgiVFp4q8Fzf9+WLQJYtWTi+d6N5FArg
kSYS9rnRIdmLNL+7opC+4yxVlIE3LkmyVmbzppNshKBogJt/bKdAe4SdbJZOYpTw
G+Viy2hRGlybAtiqqCONIe9ZYHIEZd84EGLc1krkPUgXPBCrDm8eVipyqPHYPsVm
XoSnPtHfV7+kdS7FOgqhkR44jGeG66v086vLExL4LacvLWZuKUSny0yUZvu+DgKp
vvn9zkHurqCLgQpuR3z7s7l0016dcTM7MRBPhPBuib/sVGzmAnXs/FVrfJwDY99w
K13vo5qRKL51q7RMxM4YQ8Rd0BJ2S68G71YPEeNZeCF+feGxp5LpLPxzKF3kzVD3
sHjAKR2F8FYe6R9+LuSyx1FG7kQ9cinY8Mc8bGcIAvl5wf4EtuHHBH90HXDAm/gW
i3BDfN+FlZWNbgtFU1zc2y95L/zIm9Uq6ibJIk8SmZsvhAOIHbZ2bt9ZYjmMKkjA
jaUF/ET85YN/ghUAEQEAAbQpU2VudGllbnQgU0lSVCA8c2VjdXJpdHlAc2VudGll
bnRwbHVzLmNvbT6JAc4EEwEKADgWIQQcsxObgmIY3rBB6Q/3r5YCmXMfrwUCZWX7
/QIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD3r5YCmXMfr5QfDACF73AN
uEocyeoppL+JJ4f/pskv7YjJeXf7W0oFAicpKgRPvjDNjbwmUn9E7zt2TiytSPF3
2Cua+AqOuLlBWrJY2IUIHzoUvvncNPSpJZ2V8QIhdo7ZZgp6Z5QA8sAEPj9p11pr
VYJFvRKY2Xul+gsvO7txE2EBWPgagBYUGvXzAgXoPXL8jQ0PBNLZ1sblht+qzKXn
LiTGW8zE/gJu9T/aCiOEq5uSgnTOMN6xRpQsXLGB3bQkUBvFi1cRttctiEgrWJv3
HOGNIDm36dZHwOzMUn7QUHMKqT9ScFp9xDE0JVng1hX0Lb4BAWUsGbpnnz/ualp2
npXoKHkOP0adyBFxaoarewK3liKmuf96eFwcRc2cqabG1HuOFuLWITMspWT4RNvQ
l2ouxkXtFFxiIAGOsAdXjc+7bOuXBeoMxozDWt6+Z2Q+9dG8GEukoW5iN4BS6M97
zKF0SQaFtpekFHNFu+toH+c1W0SZKtasEpQlRcvtYv7QIjPyMF6xONl78j25AY0E
ZWX7/QEMAMdsyl1lh6eb5Fs2JcfaLS50Nc59jZBgNc9BMotFw7+veN/vcIIpjHkP
tZnKGEKmBkyhE75gz7SxHX9LyELJmNL7kDBiLxjdEakizUOmqmBUCFMOwvUDyY9q
JHLyjxcNBRHXJ8jU1cv9BESn3Mf6uTuE/CeNIwFiEeAdItzfmejFxqq8J+HKSYf3
pI4xLywNLkteXz5f5QDCHOogOlqh5uvPgWanllwA8vUAjRbGCLW1I60rq5BcR+6Z
QcFpa63pru/ZiApwY9LI0byerGSTIQAx70tAy/Ofv02nsyoOIsewvSsPySbhyP2+
Ysn6tSbKnDJ4naCCtfs4EiFPtS6Ps3aB1+1lHx3ggHtDkJ3g6UjFtkImTvME+IER
bOir7+IkmrrmHrRN35RIE+G+XumFkJKq3l+QP0S/lqNcqNpFyTFKU3cLXAS0Q3BJ
Zs8BAJbwu6YK8tavmHScwe06s32jyKFET232cNHmy4FMvtRaPd/jOkqrGrkmxdwy
GAEpK2ASEQARAQABiQG2BBgBCgAgFiEEHLMTm4JiGN6wQekP96+WAplzH68FAmVl
+/0CGwwACgkQ96+WAplzH6+2xwv/SRgLl90qR/ed7brv2Dc6bxNXF2xeWZDyN4G9
rA+C7Jvfipb40E97sqdVNNawytqsalHSOaqY+P96qdZdJgy59LuBWl7HX9anoa1M
604ipW98sZCUniisT9eZpQaW4XBaAloN6/tPaxaCiCjpAodzN3ySwZGeU/23HF8s
vSEhsOrD6nRjpOANhCanTSHfSYt5izLa8/yWznbs+YewP3QvBaXoYiDSNew2wP1H
1J9QYRopw1MM6vEsAc3B+gTArDlma6sI+1jQSejifMmrVbtN9pqX87TAMfmrFZTv
J+25CIwOasDDe2nly0DTgqErdxRhV+sHR3v0J0VYE5qkTbPNCaZN1iLGKPvYKLWg
1KZ/ajNvcAbZyQyfunvMKzL+EkxKwDbUp+IU3nZEZuP/aID1lP+jdManNGeh3wiE
wdLDAdgHZ4rP3g6LXioGxVmF/ITLABYa1d/8TS+41Nch51IamgtlzcdV8N50m5y7
aJo/rY+/oLsgHGIifBFSsbzBRu2C
=NzKL
-----END PGP PUBLIC KEY BLOCK-----

Any encryption software supporting PGP/GPG keys may be used, such as GnuPG or one of those listed at openpgp.org.

Please use the form at the bottom of this page for initial contact.

Process

Reporting
Please provide the following information, using the form at the bottom of this page:

• Name or handle
• If you wish to remain anonymous
• URL (if you wish to be recognized in our hall of fame)
• Contact details
• Public key
• Technical description of the vulnerability

Description
Please include as much detail as possible in the description, including the potential impact of the vulnerability. Details regarding affected model, firmware version, URL, sample code, proof-of-concept, exploit code, network traces or similar may also be useful.

Please also include any available public references. If the vulnerability has already been publicly disclosed, please indicate where and by whom.

We can accept reports in English, Swedish or Mandarine.

Initial investigation
When a vulnerability report is received a tracking number is issued and provided to the reporter. If you have not received such a response within two working days, please attempt contact again.

Once received, Sentient will validate the vulnerability and investigate the the potential risk attached to it. If a vulnerability in a Sentient product is confirmed, affected customers will be notified.

Analysis
A detailed investigation is conducted to understand the root cause and possible methods of exploitation.

Mitigation
A remediation plan is prepared, and a mitigation strategy is established. Sentient is committed to remedy all vulnerabilities by making patches available to customers within 90 days of the initial contact regarding the vulnerability.

If Sentient or Sentient’s customers need more than 90 days to develop a patch and ensure that it is in place in end-user vehicles, this will be communicated to the reporter with a request to delay public disclosure.

Disclosure
Sentient intends to publicly disclose all discovered vulnerabilities to the automotive community. However, this is coordinated with customers and other affected parties. It is important for us that our customers as well as our internal organization has adequate time to deploy required mitigations prior to disclosure of the vulnerability report.

If you feel that your report is not disclosed in a timely manner, please reach out to discuss a solution, such as publication of acknowledgment lacking some technical detail.

Acknowledgement
Previously published vulnerabilities will not qualify for acknowledgement. All other reports will be acknowledged in our hall of fame after analysis, confirmation and disclosure, including a link to the reporter.