About:
At Ford, we strive to provide a high level of safety and security to our
employees, our suppliers, and most importantly our customers. Engaging the
security community is a key aspect of Ford’s security strategy and this
program seeks to harness the collective knowledge and skill of individual
researchers.
At a high level, the scope of this program is straightforward and all-
encompassing: the entirety of Ford’s public digital footprint. Key inclusions
and exclusions are detailed in sections below. We will investigate legitimate
reports quickly on behalf of our customers when we determine action is
needed.
Ratings:
For the initial prioritization/rating of findings, this program will use
theBugcrowd Vulnerability Rating
Taxonomy. However, it is
important to note that in some cases a vulnerability priority will be modified
due to its likelihood or impact. In any instance where an issue is downgraded,
a full, detailed explanation will be provided to the researcher - along with
the opportunity to appeal, and make a case for a higher priority.
This program only awards points for submissions.
Targets
In scope
Target name | Type
---|---
Ford
| Other
Due to the breadth of available attack surface for this program, when
reporting a vulnerability, please be sure to specify exactly where the
vulnerability is found.
Access
No special tools or technology are required to access this program. All
public-facing sites/systems owned and operated by Ford Motor Company are in
scope for this program. Credentials will not be provided for any application,
service, server, network, or any other item of Ford’s requiring credentials.
Please be aware when testing any dealer site that these sites are quite
commonly all part of a shared CMS/code base - which unfortunately means that
they are not only systemic but will also be a one-push fix. We will consider
the first instance of any valid issue asaccepted
, and then all others will
be marked as N/A
. The most common example of this is for FordDirect
sites
- to check if a given site is a FordDirect site, simply search on the page for
“Copyright © 2018 FordDirect” (or similar), and that should give a good idea
of whether or not the site runs off this shared code base. However, it is
critical to note that this is just the most common manifestation of systemic
issues that we're immediately aware of - and that there may be (and likely
are) other systemic targets that we'll update to the brief as we encounter
them.
Rules/Guidelines:
To encourage responsible reporting, we will not retaliate against any
participant who complies with the following Coordinated Disclosure Guidelines
(unless required to by law):
- Do not modify a vehicle that is used on public roads in a manner that could affect the safety of you, other motorists, or pedestrians.
- Provide details of the vulnerability and exploit methodology, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- Do not use vulnerabilities (reported or not-yet-reported) to pivot and discover further vulnerabilities.
Additionally, it is important to note the following limitations and
requirements:
- No damage caused to a vehicle by modification will be covered under warranty.
- Although Ford will not retaliate against legitimate participants who comply with the Coordinated Disclosure Guidelines, we cannot represent the position of other entities, such as law enforcement or other copyright owners.
- In return for Ford’s consideration of Participant’s submission, which Participant hereby acknowledges as sufficient consideration, Participant waives any claims related to confidentiality and grants Ford a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up, sub-licensable and transferable right to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted, and Participant also covenants not to sue Ford based on any content submitted and for any actions taken by Ford related to any submission.
- Ford will not publicly disclose the identity of any submitter without consent, except where required by law.
Out-of-Scope
Attempting any of the following will result in permanent disqualification
from the bug bounty program and possible criminal and/or legal investigation.
We do not allow any actions that could negatively impact the experience on our
websites, apps, or vehicles for other Ford customers.
- Disruption or denial-of-service attacks (Application and Network)
- Social engineering attacks
- Brute-force attacks
- Exfiltration of data
- Code injection on live systems
- The compromise or testing of application accounts that are not your own
- Any threats, attempts at coercion, or extortion of Ford employees, other partner employees, or customers
- Physical attacks against Ford, contractors, or customers
- Any physical attempts against Ford property or data centers
- Vulnerability scans or automated scans on Ford servers (including scans using tools such as Core Impact or Nessus)
- Access the personal information of any other person without consent
- Any other action that violates the law
- Any action that endangers yourself, other motorists, or pedestrians
- Attacks against manufacturing systems, applications, networks, and infrastructure. This includes transportation, transportation infrastructure, plant machinery, personnel, equipment, and vehicles
Furthermore, submitting the following types of issues will result in your
submission being marked asout-of-scope
:
- Attacks requiring physical access to a user's device
- Password and account recovery policies, such as reset link expiration or password complexity
- Content spoofing / text injection
- Non-session cookies missing secure/httponly flags
- Reports from automated tools or scans
- Reports of spam
- Bypass of URL malware detection
- Vulnerabilities affecting users of outdated or unpatched browsers and platforms
- Reconnaissance without proof of a vulnerability
- Externally hosted services utilized by Ford
Eligibility Requirements:
You are eligible to participate if:
- You must be 18 years old or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
- You are an individual security researcher participating in your own individual capacity.
- If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.
Not Eligible to Participate:
- A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.
- A current employee of Ford Motor Company or a Ford subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
- A contingent staff member or contract or vendor employee currently working with Ford.
Program rules
This program follows Bugcrowd’s standard disclosure
terms.
This program does not offer financial or point-based rewards for P5 —
Informational findings. Learn more about Bugcrowd’s VRT.