Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
Tesla logo
Hall of Fame


100 $ 

In Scope

Scope Type Scope Name
android_application Official Tesla Android apps
hardware A hardware product that you own or are authorized to test against (Vehicle/PowerWall/etc.)
ios_application Official Tesla iOS apps
web_application *
web_application *
web_application *
web_application *
web_application Any host verified to be owned by Tesla Motors Inc. (domains/IP space/etc.)

Out of Scope

Scope Type Scope Name
web_application (you can report vulnerabilities to
web_application Any other third-party websites hosted by non-Tesla entities
web_application Any SolarCity property, including *
web_application Any domains from acquisitions, such as


Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

For vehicle or energy product
While we use Bugcrowd as a platform for rewarding all issues, please report vehicle and product related issues directly to, using our GPG key to encrypt reports containing sensitive information.

Third-party bugs
If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Tesla reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process.

Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC). Any vulnerability that implicates functionality not resident on a research-registered vehicle must be reported within 168 hours and zero minutes (7 days) of identifying the vulnerability.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not modify or access data that does not belong to you.
  • Give Tesla a reasonable time to correct the issue before making any information public.

For the avoidance of doubt,

  • If, through your good-faith security research, you (a pre-approved, good-faith security researcher) cause a software issue that requires your research-registered vehicle to be updated or "reflashed," as an act of goodwill, Tesla shall make reasonable efforts to update or "reflash" Tesla software on the research-registered vehicle by over-the-air update, offering assistance at a service center to restore the vehicle's software using our standard service tools, or other actions we deem appropriate. Tesla has complete discretion as to the software or other assistance that will be provided and it may be only for a limited number of times. Tesla's support does not extend to any out-of-pocket expenses (e.g. towing) incurred by you. Tesla reserves the right to limit the number of service requests per pre-approved, good-faith researcher and unregister a research-registered vehicle at any time.
  • Tesla considers that a pre-approved, good-faith security researcher who complies with this policy to access a computer on a research-registered vehicle has not accessed a computer without authorization or exceeded authorized access under the Computer Fraud and Abuse Act ("CFAA").
  • Tesla will not bring a copyright infringement claim under the Digital Millennium Copyright Act ("DMCA") against a pre-approved, good-faith security researcher who circumvents security mechanism, so long as the researcher does not access any other code or binaries.
  • Tesla will not consider software changes, as a result of good-faith security research performed by a good-faith security researcher, to a security-registered vehicle to void the vehicle warranty of the security-registered vehicle, notwithstanding that any damage to the car resulting from any software modifications will not be covered by Tesla under the vehicle warranty.


In scope

Target name | Type
A hardware product that you own or are authorized to test against (Vehicle/PowerWall/etc.) | Hardware
* | Website
* | Website
* | Website
* | Website
Any host verified to be owned by Tesla Motors Inc. (domains/IP space/etc.) | Website
Official Tesla Android apps | Android
Official Tesla iOS apps | iOS

Out of scope

Target name | Type
---|--- | Website (you can report vulnerabilities to | Website | Website | Website | Website | Website | Website
Any other third-party websites hosted by non-Tesla entities | Website
Any SolarCity property, including * | Website
Any domains from acquisitions, such as | Website

When registering for an account, please use your email address. Please refrain from spamming forms (order forms, contact forms, etc) with high numbers of requests.

Focus Area

  • Tesla's public facing web applications.
  • Vulnerabilities in other applications owned by Tesla.
  • Vehicles or product related issues must be submitted by email in order to qualify for a reward, see above for instructions.

The following finding types are specifically excluded from the bounty:

  • Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site.
  • Internal IP address disclosure.
  • Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, gitignore, etc).
  • Social engineering / phishing attacks.
  • Self XSS.
  • Text injection.
  • Email spoofing (including SPF, DKIM, From: spoofing, and visually similar, and related issues).
  • Descriptive error messages (e.g. stack traces, application or server errors, path disclosure).
  • Fingerprinting/banner disclosure on common/public services.
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms)
  • Lack of Secure and HTTPOnly cookie flags (critical systems may still be in scope).
  • Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements
  • HTTPS mixed content scripts.
  • Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password).
    • Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
  • Missing HTTP security headers.
  • TLS/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates...
  • Denial of Service attacks.
  • Out-of-date software.
  • Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope)
  • Physical attacks against Tesla's Facilities / Property


We pay rewards ranging from $100 to $15,000. Rewards are administered according to the following guidelines:

  • RCE: Up to $10,000
  • SQLi: $500–$10,000
  • XSS: $100–$1,000
  • CSRF: $100–$500
  • Authentication bypass: Up to $10,000
  • Horizontal privilege escalation: $500-$3,000
  • Vertical privilege escalation: $500–$10,000
  • Vehicle or product related vulnerabilities: case-by-case up to $15,000 (report directly, see above)

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

We support the open publication of security research. We do ask that you give us a heads-up before any publication so we can do a final sync-up and check.

FireBounty © 2015-2019

Legal notices