Report Potential Security Vulnerabilities
At Cummins, security and compliance are top priorities. If you have information related to security vulnerabilities of Cummins products, services or web applications we want to hear from you and are committed to taking steps to resolve your concerns. We value the positive impact of your work and thank you for notifying Cummins of this matter.
Product, Network and Application Security Incident Reporting
To report a potential vulnerability or security incident involving a Cummins product, web application or service, please notify responsible.disclosure@cummins.com.
Upon submission, we will acknowledge receipt of each potential vulnerability report within 2 business days. Then Cummins teams will conduct a thorough investigation, and take the appropriate steps for resolution, if any.
Please include the following in your report:
- Email subject line: “Potential Vulnerability”
- Product, model, version, URL or IP address where applicable
- Description of the concern or vulnerability - include CVE where applicable
- Information to help our team replicate the issue (e.g. configuration details, a proof-of-concept or exploit code)
- Contact information
We strongly recommend submissions of reports be encrypted via PGP.
Responsible Disclosure PGP Key [.pdf]
Incident Response
CIRT Incident Response procedures meet or exceed standards set by CSRC NIST (Computer Security Resource Center National Institute of Standards & Technology) incident response lifecycle for identifying, validating, mitigating and communicating vulnerabilities in Cummins products. Consistent with these standards and our company’s security culture, Cummins partners with researchers, academia and coordinating authorities to continuously assess for vulnerabilities and improve security in our products and systems. Cummins reviews this process annually to ensure alignment with NIST guidance.
Issues that are considered out of scope for this submission (including but not limited to):
- Reports from automated tools or scans
- Reports of insecure SSL / TLS ciphers
- Social engineering of Cummins employees or contractors
- Open ports which do not lead directly to a vulnerability
- Equipment damage through physical harm
- Facility security gaps
- Denial of Service attacks
- Phishing attacks