Report Potential Security Vulnerabilities

At Cummins, security and compliance are top priorities. If you have information related to security vulnerabilities of Cummins products or services, we want to hear from you and are committed to taking steps to resolve your concerns. We value the positive impact of your work and thank you for notifying Cummins of this matter.

Product Vulnerability & Incident Reporting

To report a potential vulnerability or security incident involving a Cummins product or service, please notify the Cummins Product Cybersecurity Incident Response Team (PCIRT) at [email protected]. Following submission, Cummins PCIRT will review the report and respond. You will receive a notification of receipt within 2 working days.

Please include the following in your report:

• Email subject line: “Potential Vulnerability”
• Product, model, version
• Description of the concern or vulnerability
• Information to help our team replicate the issue (e.g. configuration details, a proof-of-concept or exploit code)
• Contact information

We strongly recommend submissions of reports be encrypted via PGP. Cummins’ public PGP key can be found below.

Incident Response

PCIRT Incident Response procedures meet or exceed standards set by CSRC NIST (Computer Security Resource Center National Institute of Standards & Technology) incident response lifecycle for identifying, validating, mitigating and communicating vulnerabilities in Cummins products. Consistent with these standards and our company’s security culture, Cummins partners with researchers, academia and coordinating authorities to continuously assess for vulnerabilities and improve security in our products. Cummins reviews this process annually to ensure alignment with NIST guidance.

Issues that are considered out of scope for this submission (including but not limited to):

• Reports from automated tools or scans
• Reports of insecure SSL / TLS ciphers
• Social engineering of Cummins employees or contractors
• Open ports which do not lead directly to a vulnerability
• Equipment damage through physical harm
• Facility security gaps
• Denial of Service attacks
• Phishing attacks
• Website vulnerabilities

Cummins' Public PGP Key

pub rsa4096 2019-12-05 [SCA] [expires: 2023-12-05]

Key fingerprint = C4F4 7D1F F01B C21F B7D7 190B 9D9A 9727 292C 7199

uid  Product Cybersecurity [email protected]

sub rsa4096 2019-12-05 [E] [expires: 2023-12-05]

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBF3pmWUBEACk/BzVFs3om+f6DBNthNpEnmp6DSnaOiPMn3Hia2vh0MQ+5Hml
1wAop239VHKH9pnOtLrqKdJRUkW4ryaJUzPK8h3nj14yqiZB6Q/1hLHQzd8HmHIc
J7DXOfNQ+niyRauCl6rLneBDpsGk01PkS0a2hE8Y5Xwtbc/TX2kpRkBfDlVfJ3Gs
rnomUbc4jY28W4PO3cFXEzFNdNkgZfzcx672JZ+IaLH8YIaOxNMqpfFW7kkmdkZO
5/0JzWxEJvKvgWQlnhnrYEYkWMgxGWqmh2rR80Te2+sYJ9ze1BL+lKfrxsF8QXHJ
ZKFaAo2b4GSlzJmrx4iup+cbq/JbCla6w8W1kan995ylyoLp/hs5Ox0d68jWfbS5
o4nee/awmdVzaJerolwhWIMx3AI12Y5p8pQLqquPtaXi1PkfNlqtVJvnNP8l0jgj
KcJLR2kyd810NVhsgBMo5aSyFChJW+1EYJJX61P7vcTRWjX/EhThod0wHn8HKBM9
o92itX6OsR2IcwlPLf5M2j+m49/XRblRaqZ4fkeNHunKUhOLuGVr+61QRFEY5RMC
EG7wAKwVeccFDjqMUtIrZfvZxFEvZ1MXyhZvcdNgCSOjdS7gjvDn+/nmUE7gZb88
YTArD9nsQo70V2lnPpIlCI1J5ZAkbycUbN9cpqk6APnEqshNykAYQ7HA7QARAQAB
tDlQcm9kdWN0IEN5YmVyc2VjdXJpdHkgPHByb2R1Y3QuY3liZXJzZWN1cml0eUBj
dW1taW5zLmNvbT6JAlQEEwEIAD4WIQTE9H0f8BvCH7fXGQudmpcnKSxxmQUCXemZ
ZQIbIwUJB4W9qwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCdmpcnKSxxmUrM
EACMvjK3ylhu5cjcpyZvr5kKY0wltcyj6G+2tArkNahEukH9jE3ZqBmR6TB6dEzN
DtWQCAR41C+qC2xA6N4gHBzkdG8gQcffQWwrXHArp8IlGkmwCqSmzsKbP2lV4Amb
HUF9EaQsa84FgFLnJOdA3DjEFH94S111bstCAmdGR/zkoro9qvhx/N+5421g+I7D
Blv/BaoUG2CRyiPcbl/fBkLfamTKmntRsSQGDDdIRINzv2OiuVgLGzMMDBRELwlR
57ZPq4Yp+BR/5Lb+/IfCJ6RWYV4lQff5BDU9+khosx8tMYB3UBjSlcT1uejlVcPS
BFVVGtVP25d2X4+2UWmBV4FvDWU2+G/1xwgT8UDpmDwIxWF90MtV2s4tBjK7IufJ
20ewUjKFeNkTNen4nUvaW0BnbrhmW0xjgu3xz70tlERT5iUsI1/5wgshQZp3hgHh
FAghR2HprvNJ8PRvSwZrK2kId2RWVf3K1oKjpUTlb2v0djLIMxGn1vo5NZGyH6Ks
GNg2JnaXZtEZkWZpFZl5rl6kV5WzbbbZgRmZQ/OKGG75MRd458Kb3HkwwsAPd1kN
vOTDblheEmsCNYHt/m+A9bSobgIoO1tZ9qnfkiUSH8DjqAvBaU09/FuS4C1e1p6v
PkEHRjbVW0NRa06UYkDK5XC27gpOlHq9+0FYhiw7fNdeq7kCDQRd6ZllARAAnrnf
ne2YWAxNNB+rNLbhwfCzinUmeZVOrdneIODgOQsfmQqopaqkR1emqlJZ5iAHqBU3
ZrzBG9T0tK+aWT9DxBoFqTd8SMmb5Hiw1DzcX3iy8sjb8DiKsg9b6BhEEu9oMU+o
mzbgWV5wmTr41Gqm3tTXXNdtu1/cw8ZDjYNPWe2VgAldV5bDsaBCufbHjC0qCnfk MteEbjWNYaMhPA6pq6OjK6CsAnMJfBU0NJbmbqmdBEk96xYdo4CBqyUMzHShnKpV pACw5p+FYG3+RfnE9KD8+JVaarg9P+JFxH1W2gpER52ymLi0/NmrlFS87hW3vPRH tAhDsMUtaTHiGxK3ZgyFYdwEbo4U1V2q0CFOrHgapiwN4/MyGFzyvqMweZFqKw4Z
4M+l3Y/13KVGrhu3PnUaMW4WpE9jE3rgOxKiQzhh/r5xfRE7dLzmI5fa6owB7x/K
bm7VBKUlYGMsZdBolO+pTJBbL0ofRfSeZswB3+AyRg3gED23z6H2z9nT+azZiTL2
toRnJmCy1TVYO4XohufDg8MxlK9xBWmwEQHbh0SjG+WpdxsmT8xYPXTd7hL6UYJX
zUEGNHTSsIVsNiueoTtDK45R+0+/LJ2O4fIdWfjDe6SoRyiinQQblzOu//YM6nia
1RmX8GvoXkysB8ZMA4a1P5FtOWWqyLXPiGYxe08AEQEAAYkCPAQYAQgAJhYhBMT0
fR/wG8Ift9cZC52alycpLHGZBQJd6ZllAhsMBQkHhb2rAAoJEJ2alycpLHGZenQQ
AIFrNoa9XliWwSlqHnpGgs0+o0Ux6WCXC7BLuH16dKiRKBSjtFPw6jl/29NvVGGV
UwQ3nmHfdM3bjavY4p+Ap1NClk4GQMs33ue76rfxgsz6C0qB7r13/dNIQh6QgkuB
sfxseu1YBoZuC0UBfoSxtWLIW44Xks1sEJhav3TTX0BNBJyQpxJwY519NzCEefMq
RE3mK4cJdEeur8eDtPFoQ8xo+AKBF6gCWENHTn0ZslkFBL1G0qieNWDEzCzfZlmj
1PCaskE1REWpPOstKr07WkLU/Bvk6EAH0BfRdzb2m8+HGMCofaTNkpd3wlbGZ3II
rtkm9shhW7mJBFI8fAW0iXlQ/9IxOHsz4OiD4Rt7/jyzVv9t1dhaN9+Pf4LAESjL
5MAgAbZCUPzoHKzV1+23VWba7RKL61SNEP3HUQjY6Zn+1QElr3QSdITQdgdtuEAI
NWRt0rYTv188MIkvtz7+YkzwilyMEDXLNEMchiWNHNe9SjEQY7XFCBvnDAV2x6il
zMQJbwvh6vXtKeF0zg5Xi3kJQOt4eYKidlIeeRcn7h9teQMvBAj0TaEY7T4Oolmd
1k3c4JxpvR/bQhp8N8lPKP05kIRJdCAp4cYNU3MtrsB5Gpx9iWM0DoqK7j2pzKaI
gWOajbxWKNqVU9T/xMrWgoVKhTgwqR4wc5XmcZ3ivW5K =zCrc

-----END PGP PUBLIC KEY BLOCK-----