Toyota is committed to maintaining an effective partnership with the
cybersecurity community. We value your contributions and appreciate the
opportunity to work with you.
Reports submitted through this website for the www.toyota.com
__properties are explicitly in scope and will be
accepted for evaluation. Examples include:
Toyota reserves the right to treat additional reports that comply with the
program requirements as in scope. While Toyota Motor North America may share
reports related to Toyota’s online properties managed by other Toyota
affiliate companies (e.g., toyota.jp) for their consideration, such reports
will be closed as Informative. Please visit this page again in the future for
further announcements as we expand the scope of the program.
Toyota retains discretion to determine whether to accept a report into the
program. For example, Toyota will not accept into this program vulnerabilities
with minimal security impact or low exploitability, vulnerabilities beyond
Toyota’s control, vulnerabilities discoverable through automated scans which
have not been verified manually, or vulnerabilities related to a violation of
the program requirements. Out of scope vulnerabilities include:
- Clickjacking on pages with no sensitive actions;
- CSRF without a demonstrated vulnerability;
- Security issues in third-party systems integrated with or related to Toyota systems;
- Password and account recovery policies, such as reset link expiration or password complexity;
- Presence of autocomplete attribute on web forms;
- Software version disclosure;
- User ID enumeration;
- Vulnerabilities only affecting outdated or unpatched browsers;
- SSL/TLS configurations without a demonstrated vulnerability;
- Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
- Missing http-only or secure cookie flags unrelated to a vulnerability;
- Missing security headers unrelated to a vulnerability;
- Attacks against network and security infrastructure; and
- Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).
Toyota agrees not to pursue legal action against researchers who submit in-
scope reports and:
- Engage in testing/research of systems without harming Toyota, its customers, employees, or third parties;
- Do not compromise the privacy of Toyota’s customers, employees, or other individuals (e.g. by accessing personal information);
- Do not conduct social engineering, spam, or phishing attacks;
- Do not test the physical security of any property of Toyota or third parties;
- Do not conduct denial-of-service or resource-exhaustion attacks;
- Do not test properties or systems outside the United States;
- Comply with applicable criminal laws;
- Adhere to other applicable laws (other than those that would result only in claims by Toyota);
- Are not a person employed by Toyota or a Toyota supplier, and are not submitting a report by a person employed by Toyota or a Toyota supplier; and
- Comply with the HackerOne Terms and Conditions __as well as the terms stated here.
The researcher(s) who submits a report to Toyota through this website agrees
not to disclose to a third-party any information related to that report, the
vulnerability reported, nor the fact that a vulnerability has been reported to
Toyota. This agreement regarding disclosure applies regardless of whether
Toyota had prior knowledge of the information.
You agree that Toyota may disclose the information in a report you submit
through this website. Toyota will consider any request from a researcher to
make a disclosure, but reserves the right to deny such requests.
How to Submit a Report
To submit a report to Toyota, please use the Submit Report button on this
By submitting a report, you represent that you are not located in or otherwise
ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea; and
that you are not identified on, or owned or controlled by or acting on behalf
of a party identified on, restricted party lists maintained by the U.S. or
other relevant governments.
Expectations for Researchers:
- Well-written reports in English will have a higher chance of faster response and resolution;
- Reports that include proof-of-concept code enable Toyota to better understand and triage the submitted information;
- Reports that include only output from programs may receive lower priority;
- Participating in this program does not give you any right to intellectual property owned by Toyota or a third party;
- Please include how you found the vulnerability; if possible include any potential remediation(s); and
- Please do not include any personal information.
What You Can Expect:
- A timely response to your submission;
- An open dialog to discuss issues;
- Notification when each stage of Toyota’s review has completed; and
- Recognition after the vulnerability has been validated and fixed.