52235 policies in database
Link to program      
2020-04-07
BMW Group logo
Thank
Gift
HOF
Reward

Reward

BMW Group

Program description

The BMW Group places special emphasis on the security, integrity and availability of its data and systems and thus also on those of its customers, employees and partners. We value the work of security researchers in improving the security of our products and services and encourage the community to participate in our bug bounty program. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program and marked as “Eligible”. Please take note of the current scope outlined below.

Critical findings can earn you a place on our BMW Security Hall of Fame:

https://www.bmwgroup.com/de/general/Security.html

Response times

Generally, we try to achieve the following response times:

  • Time to first response (from report submit) - 1 business day

  • Time to triage (from report submit) - 3 business days

  • Time to bounty approval (from triage) - 7 business days

Disclosure Policy

  • Adhere to common responsible disclosure principles.

  • Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without the BMW Group’s explicit consent.

  • Follow HackerOne's disclosure guidelines.

Program Rules

General Rules

  • Follow the Hacker One disclosure guidelines if not stated otherwise in this policy.

  • In case of duplicate submissions, only the first report that was received will be awarded (provided that it can be fully reproduced).

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

  • No test accounts will be provided.

  • Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report.

  • Public Zero-day vulnerabilities that have had an official patch for less than 6 weeks will be awarded on a case by case basis

Out of scope vulnerabilities

While not being covered by the safe harbor clause, vulnerabilities that are out of scope of this program can be reported by choosing the asset “Other Vulnerabilities”. Please consider that this asset is out of scope of the program and not eligible for bounty.

Since assets that are out of scope are eligible for submission they are shown below in the category "In Scope". Please consider the additional information shown at these assets.

Do's

  • Always submit proof or a PoC regarding the exploitability for your finding.

  • Provide detailed reports with reproducible steps, including the full http requests leading to the exploit.

  • Submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation.

Don'ts

  • Do not disclose vulnerabilities to the public or to any third party.

  • Do not perform any testing that causes degradation to BMW's services; e.g. denial of service, or heavy automated scanning.

  • Do not access or make changes to customer accounts.

  • Do not perform social engineering attacks, including phishing.

  • Do not spam.

  • Do not perform any physical attacks.

  • Any lateral movement and post-exploitation past the initial exploitation is forbidden.

Scope definition

In scope

For submissions on assets in scope, please ensure the following requirements are met:

Browsers

Browsers have to be up to date (latest released stable version) on the day of submission. Vulnerabilities which require certain plugins are out of scope.

Only the following browsers are in scope:

  • Chrome

  • Firefox

  • Safari

  • Edge

  • Internet Explorer

Targets

Only the targets listed below in the "In Scope" sections are in scope.

Vulnerabilities

  • Everything not excluded in the out of scope vulnerabilities

Out of scope

Browsers

  • Everything not explicitly listed as in scope.

Targets

  • Everything not explicitly listed as in scope.

  • All subdomains of the domains in scope.

  • If pages redirect to other domains, those all are out of scope.

  • Any services which are not web-applications.

Vulnerabilities

  • Man in the middle attacks.

  • Self-XSS and other vulnerabilities only possible through Self-XSS.

  • CSRF.

  • CSRF logout.

  • Self-exploitation (e.g., token or cookie reuse).

  • Results of scanners without proof of concept for an exploit.

  • Text spoofing / content injection.

  • Email Spoofing - SPF/DKIM/DMARC Records Misconfiguration.

  • SSL/TLS best practices.

Post-exploitation

All post-exploitation is out of scope, except the minimum to prove that the exploit is working:

  • In case of an RCE or injection attack, you may issue commands stating the version of the database, the system name or the local IP address.

  • All post exploitation that will lead to further vulnerabilities or risk the stability or integrity of a system is out of scope.

Safe Harbor

Any activities of a researcher in compliance with this Bug Bounty program and policy on in-scope assets will be considered as authorized by BMW AG and BMW AG will not take any legal actions against the researcher. If third parties initiate legal actions against the researcher based on those activities, the researcher may reference this Bug Bounty program and policy.

In Scope

Scope Type Scope Name
other

Automotive Security

other

Other Vulnerabilities

web_application

www.bmw.de

web_application

www.mini.de

web_application

www.bmw-motorrad.de

web_application

configure.bmw.de

web_application

configure.mini.de

web_application

konfigurator.bmw-motorrad.de


This program have been found on Hackerone on 2020-04-07.

FireBounty © 2015-2024

Legal notices | Privacy policy