The BMW Group places special emphasis on the security, integrity and availability of its data and systems and thus also on those of its customers, employees and partners. We value the work of security researchers in improving the security of our products and services and encourage the community to participate in our bug bounty program. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program and marked as “Eligible”. Please take note of the current scope outlined below.
Critical findings can earn you a place on our BMW Security Hall of Fame:
https://www.bmwgroup.com/de/general/Security.html
Generally, we try to achieve the following response times:
Time to first response (from report submit) - 1 business day
Time to triage (from report submit) - 3 business days
Time to bounty approval (from triage) - 7 business days
Adhere to common responsible disclosure principles.
Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without the BMW Group’s explicit consent.
Follow HackerOne's disclosure guidelines.
Follow the Hacker One disclosure guidelines if not stated otherwise in this policy.
In case of duplicate submissions, only the first report that was received will be awarded (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
No test accounts will be provided.
Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report.
Public Zero-day vulnerabilities that have had an official patch for less than 6 weeks will be awarded on a case by case basis
While not being covered by the safe harbor clause, vulnerabilities that are out of scope of this program can be reported by choosing the asset “Other Vulnerabilities”. Please consider that this asset is out of scope of the program and not eligible for bounty.
Since assets that are out of scope are eligible for submission they are shown below in the category "In Scope". Please consider the additional information shown at these assets.
Always submit proof or a PoC regarding the exploitability for your finding.
Provide detailed reports with reproducible steps, including the full http requests leading to the exploit.
Submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation.
Do not disclose vulnerabilities to the public or to any third party.
Do not perform any testing that causes degradation to BMW's services; e.g. denial of service, or heavy automated scanning.
Do not access or make changes to customer accounts.
Do not perform social engineering attacks, including phishing.
Do not spam.
Do not perform any physical attacks.
Any lateral movement and post-exploitation past the initial exploitation is forbidden.
For submissions on assets in scope, please ensure the following requirements are met:
Browsers have to be up to date (latest released stable version) on the day of submission. Vulnerabilities which require certain plugins are out of scope.
Only the following browsers are in scope:
Chrome
Firefox
Safari
Edge
Internet Explorer
Only the targets listed below in the "In Scope" sections are in scope.
Everything not explicitly listed as in scope.
All subdomains of the domains in scope.
If pages redirect to other domains, those all are out of scope.
Any services which are not web-applications.
Man in the middle attacks.
Self-XSS and other vulnerabilities only possible through Self-XSS.
CSRF.
CSRF logout.
Self-exploitation (e.g., token or cookie reuse).
Results of scanners without proof of concept for an exploit.
Text spoofing / content injection.
Email Spoofing - SPF/DKIM/DMARC Records Misconfiguration.
SSL/TLS best practices.
All post-exploitation is out of scope, except the minimum to prove that the exploit is working:
In case of an RCE or injection attack, you may issue commands stating the version of the database, the system name or the local IP address.
All post exploitation that will lead to further vulnerabilities or risk the stability or integrity of a system is out of scope.
Any activities of a researcher in compliance with this Bug Bounty program and policy on in-scope assets will be considered as authorized by BMW AG and BMW AG will not take any legal actions against the researcher. If third parties initiate legal actions against the researcher based on those activities, the researcher may reference this Bug Bounty program and policy.
Scope Type | Scope Name |
---|---|
other | Automotive Security |
other | Other Vulnerabilities |
web_application | www.bmw.de |
web_application | www.mini.de |
web_application | www.bmw-motorrad.de |
web_application | configure.bmw.de |
web_application | configure.mini.de |
web_application | konfigurator.bmw-motorrad.de |
This program have been found on Hackerone on 2020-04-07.
FireBounty © 2015-2024