Responsible disclosure
Atos Threat Research Center
Charter & Vulnerability Disclosure Policy — CyberShield
Atos Threat Research Center, with Atos Legal · June 2026 · Final document
Part I — Charter
The Atos Threat Research Center (TRC) is Atos’ global threat-intelligence and vulnerability-research capability. It brings together advanced threat-intelligence research, threat-actor and campaign monitoring, vulnerability research across hardware, software and network layers (both IT and OT), and AI-powered analysis into a single team dedicated to protecting Atos customers and the wider digital ecosystem. Our research feeds Atos’ global network of Security Operations Centers (SOCs) and strengthens Threat Detection, Investigation and Response (TDIR). Where our findings have value beyond our own customers, we publish them responsibly on the CyberShield blog so the broader community can defend itself.
Mission
To anticipate, understand and counter emerging cyber threats — and to convert that knowledge into actionable, verified intelligence that reduces real-world risk for our customers and for society at large.
Scope of our research
The TRC conducts research, for defensive purposes only, that originates from sources including:
- Active defense operations — patterns, indicators and techniques observed across Atos SOC cases and incident-response engagements.
- Threat intelligence — open-source intelligence (OSINT), dark-web and underground-forum monitoring, and adversary/campaign tracking.
- Vulnerability research — discovery and analysis of weaknesses in software, hardware and network products and services, including through reverse engineering.
- Malware and adversary analysis — reverse engineering of malicious code, infrastructure and tradecraft.
Guiding principles
These principles govern every piece of research we conduct and publish:
- Public benefit first. We disclose to drive remediation and help users defend themselves — never to harm, extort or gain commercial advantage.
- Accuracy and integrity. We publish verified, evidence-based findings and do not exaggerate severity or speculate beyond our analysis.
- Coordination over confrontation. We work with affected vendors wherever possible and give them a fair opportunity to remediate before public disclosure.
- Proportionate transparency. We publish enough for defenders to understand and mitigate a threat, while withholding detail that would primarily benefit attackers.
- Independence with accountability. Our conclusions are our own, conducted lawfully, ethically and under defined internal governance.
Coordinated (responsible) disclosure of third-party vulnerabilities
When the TRC discovers a vulnerability in another organization’s product or service, we follow a coordinated vulnerability disclosure (CVD) process aligned with ISO/IEC 29147:2018 (Vulnerability disclosure) and complemented by ISO/IEC 30111 (Vulnerability handling processes). We notify the vendor or maintainer privately and securely before any public disclosure — using their published security contact or PSIRT channel, or a recognized coordinator (such as a national CERT/CSIRT or CVE Numbering Authority) where no direct channel exists. We propose a coordinated disclosure window of [90] calendar days from first contact, adjusted in good faith: extended where a fix is progressing, or shortened where a vulnerability is being actively exploited, is already public, or poses imminent risk. Our advisories are written for defenders — describing the affected product and versions, the nature and impact of the issue, available mitigations, and a CVE identifier where assigned — and may withhold weaponizable detail where its release would create disproportionate risk.
When a vendor does not engage, or asserts contractual restrictions
We recognize that vendors sometimes do not respond, decline to remediate, or cease communication. Where, after reasonable and documented attempts, a vendor is unresponsive or declines to act, the TRC may proceed to publish in a manner consistent with the public interest and this charter — prioritizing user safety while minimizing the risk of enabling abuse. The TRC respects its lawful contractual obligations; at the same time, we hold that non-disclosure agreements, terms of service, or licensing terms should not be used to suppress legitimate, good-faith security research that protects the public. Where a vendor asserts that such terms — or the threat of legal action — prohibit publication, the matter is referred to Atos Legal for review before any decision to publish or withhold.
Good faith, ethics and what we will not do
The TRC conducts its research in good faith, lawfully, and to improve security. We do not seek payment or advantage in exchange for withholding a vulnerability; we do not access, modify or exfiltrate data beyond the minimum necessary to demonstrate an issue; and we report findings to enable remediation, not exploitation. Research involving reverse engineering, malware handling and underground-source monitoring is performed by authorized personnel within controlled environments, subject to internal legal and ethical oversight. We do not develop or distribute offensive tooling for malicious use, disclose vulnerabilities in a manner designed primarily to harm a vendor or benefit attackers, trade in or profit from undisclosed vulnerabilities, or target individuals or systems without lawful authorization.
Part II — Vulnerability Disclosure Policy (reporting to Atos)
Atos welcomes reports of security vulnerabilities in our own products, services and infrastructure. If you believe you have found a security issue affecting Atos, we want to hear from you. This policy explains what is in scope, how to report safely, what you can expect from us, and the protections we offer to researchers who act in good faith. It is the inbound counterpart to the coordinated-disclosure principles set out in Part I.
Our commitment to researchers
When you report a vulnerability to us in line with this policy, we commit to:
- Acknowledge receipt of your report within [2] business days.
- Provide an initial assessment and triage within [10] business days.
- Keep you informed of remediation progress at reasonable intervals.
- Work with you on coordinated public disclosure where appropriate, and credit you for your finding if you wish.
- Not pursue or support legal action against you for research conducted in good faith under this policy.
Scope
This policy covers Atos-owned and Atos-operated products, services and internet-facing systems. The table below is indicative; if you are unsure whether a target is in scope, contact us before testing and we will advise.
| In scope | Out of scope |
|---|---|
| Atos and Eviden products and services | Third-party products and platforms not operated by Atos |
| Atos-operated internet-facing applications and infrastructure | Findings requiring physical access to Atos premises or devices |
| Authentication, authorization and data-exposure issues | Social engineering, phishing or attacks against Atos staff or customers |
| Vulnerabilities in code or systems Atos publishes or maintains | Denial-of-service (DoS/DDoS), volumetric or resource-exhaustion testing |
| Issues affecting confidentiality, integrity or availability of Atos systems | Automated scanning that degrades service, or reports from such scanning without validation |
Safe harbour
Atos will consider security research and vulnerability disclosure conducted in accordance with this policy to be authorized, lawful, and a valued contribution to the security of our systems. Provided you act in good faith and within this policy, Atos will not pursue or support legal action against you in relation to your research, and will work with you if a third party brings action against you for activity conducted under this policy. If legal uncertainty arises, contact us before proceeding — we would rather help you stay within scope than have you stop.
Rules of engagement
To remain protected under this policy, please:
- Act in good faith to avoid privacy violations, data destruction, and disruption to our services.
- Access only the minimum data necessary to demonstrate a vulnerability, and never exfiltrate, store or share Atos or customer data.
- Stop testing and report immediately if you encounter personal data, credentials, or evidence of an existing compromise.
- Do not use denial-of-service techniques, social engineering, spam, or physical attacks.
- Give us a reasonable opportunity to remediate before disclosing publicly, and coordinate any public disclosure with us.
- Comply with all applicable laws; this policy does not authorize activity that would be unlawful.
How to report
Send your report to our security contact, encrypting sensitive details where possible. A clear report helps us validate and fix the issue quickly. Please include:
- A description of the vulnerability and the affected product, service, URL or system.
- Step-by-step instructions to reproduce the issue, including any proof-of-concept.
- The potential impact, and any suggested remediation if you have one.
- Your name or handle for acknowledgement (or a note that you wish to remain anonymous), and how we may contact you.
What happens next
After you submit a report, we follow a consistent process and keep you informed at each stage:
| Stage | What we do | Target |
|---|---|---|
| Acknowledge | Confirm we have received your report | 2 business days |
| Triage | Validate and assess severity and scope | 10 business days |
| Remediate | Develop, test and deploy a fix or mitigation | Risk-based |
| Disclose | Coordinate public disclosure and credit, where appropriate | By agreement |
Recognition
Atos does not currently operate a paid bug-bounty program. We are grateful to researchers who help keep our systems secure and, with your permission, will acknowledge your contribution publicly once an issue is resolved. Should any changes to the status above be implemented it will be announced on our blog and social media accordingly.
Use of published findings — disclaimer
The information published by the Atos Threat Research Center, including advisories, threat analyses, indicators of compromise and any associated code or samples, is provided for informational and defensive purposes only, on an “as is” basis without warranties of any kind, express or implied, including as to accuracy, completeness or fitness for a particular purpose. Any proof-of-concept or sample code is published solely to help defenders understand and mitigate the issue described, and must not be used for any unlawful or unauthorized purpose. You are responsible for testing only systems you own or are authorized to test. Product and company names referenced are the property of their respective owners and reference does not imply endorsement. To the maximum extent permitted by law, Atos accepts no liability for any loss or damage arising from the use of, or reliance on, this information. This content does not constitute legal or professional advice.
Contact and governance
We welcome vulnerability reports and coordination requests from vendors and researchers. Security contact: threat-research-center@atos.net .
Encrypted communication: PGP key / fingerprint.
Research blog: https://atos.net/en/lp/cybershield. This charter and policy are owned jointly by the Threat Research Center and Atos Legal, reviewed at least annually and updated to reflect evolving standards, regulation and practice.