John Deere
John Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.
We encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.
• Provide detailed reports with reproducible steps. Screenshots are welcome.
• Do not cause harm to John Deere, our customers, or others.
• Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our
services. Specifically;
o Avoid access to data related to individuals and contact us immediately if you inadvertently encounter
such data;
o Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data
upon reporting the vulnerability to us;
o Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our
services.
o Do not violate any laws, including all privacy and data security laws.
• Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.
• Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.
• Do not participate in this program if you are:
o A member of a foreign terrorist organization as designated by the U.S. Department of State;
o A resident of or located in a country against which the United States has trade restrictions or export
sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or
o Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department
of Commerce
• We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.
We agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program. In the event of a conflict between this policy and any HackerOne policy, this policy applies.
Any John Deere digital application, product or service, but excluding:
Any John Deere machine, equipment or other hardware (collectively “Equipment”)
Any software, firmware or other component of John Deere Equipment.
For the purposes of Program Scope, “John Deere” includes Deere & Company and each of its wholly-owned subsidiaries. Examples of digital applications, products and services that are in scope include:
*johndeere.com
*deere.com
*wirtgen-group.com
*bluerivertechnology.com
*bearflagrobotics.com
*jdisonline.com
*agrisync.com
*johndeerecloud.com
*starfirenetwork.com
*johndeeretechinfo.com
https://apps.apple.com/us/app/myoperations/id1104383066
https://play.google.com/store/apps/details?id=com.deere.myoperations&hl=en_US
https://apps.apple.com/us/app/equipmentplus/id1498206477
https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681
https://play.google.com/store/apps/details?id=com.deere.equipmentplus&hl=en_US&gl=US
When reporting vulnerabilities, please consider:
attack scenario/exploitability
security impact of the bug.
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not
limited to:
Self\Client\Reflective XSS ( Exception: Stored XSS vulnerabilities)
Session Cookie Reuse
Open redirect vulnerabilities
Open ports which do not lead directly to a vulnerability
Reports from automated tools or scans without a working Proof of Concept
Physical Penetration Testing
Denial of Service Attacks
Non Deere hosted websites
Presence of autocomplete attribute on web forms
John Deere machines or equipment
Any John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment.
| Scope Type | Scope Name |
|---|---|
| android_application | com.deere.myoperations |
| android_application | com.deere.equipmentplus |
| ios_application | 1104383066 |
| ios_application | 1498206477 |
| ios_application | 958749681 |
| web_application | *jdisonline.com |
| web_application | *johndeere.com |
| web_application | *wirtgen-group.com |
| web_application | *deere.com |
| web_application | *bluerivertechnology.com |
| web_application | *bearflagrobotics.com |
| web_application | *agrisync.com |
| web_application | *johndeerecloud.com |
| web_application | *starfirenetwork.com |
| web_application | *johndeeretechinfo.com |
Firebounty have crawled on 2021-08-02 the program John Deere on the platform Hackerone.
FireBounty © 2015-2024