About

The Ford Vision
People working together as a lean, global enterprise to make people’s lives better through automotive and mobility leadership.

Innovation
The Ford Motor company has maintained its position as a leader in the automotive industry through its innovative people, technologies, and communities __. The principle of innovation applies to all aspects of Ford, including security. The Coordinated Disclosure Program is a modern, yet essential security tool, and we need your help to expand its reach.

Ford will be selecting top researchers from our programs to participate in future special hacking projects. We’re excited to work with HackerOne and the hacker community to help keep Ford customers safe.

Eligibility

• You must be 18 years old or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
• You are an individual security researcher participating in your own individual capacity.
• If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.

Researchers who meet any of the following criteria are ineligible for

participation:

• A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.
• A current employee of Ford Motor Company or a Ford subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
• A contingent staff member or contractor or vendor employee currently working with Ford.

Response Targets

If we require additional information from you, please allow for another 2-3 days for our team to review and respond to new comments.

Response Target | Time (in business days)
---|---
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Resolution | Depends on severity and complexity

Test Instructions

All assets in scope are on production; no VPN or credentials are required for testing.

Reporting Criteria

All reports will be evaluated based on the following criteria:

1. Steps to reproduce the vulnerability 2 Working proof of concept
2. Business impact
3. Effort required to exploit the vulnerability
4. Likelihood of vulnerability being discovered

Valuable Vulnerabilities

• Remote Code Execution
• SQL Injection
• Privilege Escalation to Admin Level
• XML Injection
• Insecure Direct Object Reference

Example of valuable vulnerability

High

• Summary: Authentication Bypass was found on a mobile to web application. Access to certain functions was disabled by client-side javascript. By removing the necessary variables, a user is able to use features that were previously restricted.

Ford Coordinated Disclosure Rules

• The same vulnerability that is found on multiple domains will be treated as a SINGLE vulnerability. Please report all affected domains (e.g. ford.com.ca, ford.com.mx, ford.com.br, etc.) on a single report. All subsequent reports will be closed as a Duplicate.
• Do not modify a vehicle that is used on public roads in a manner that could affect the safety of you, other motorists, or pedestrians.
• Do not modify or access data that does not belong to you.

• A vulnerability should NOT be dependent on another vulnerability. Each vulnerability should be executable on its own.

• No damage caused to a vehicle by modification will be covered under warranty.

• Although Ford will not retaliate against legitimate participants who comply with the Coordinated Disclosure Guidelines, we cannot represent the position of other entities, such as law enforcement or other copyright owners.
• In return for Ford’s consideration of Participant’s submission, which Participant hereby acknowledges as sufficient consideration, Participant waives any claims related to confidentiality and grants Ford a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up, sub-licensable and transferable right to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted, and Participant also covenants not to sue Ford based on any content submitted and for any actions taken by Ford related to any submission.
• Ford will not publicly disclose the identity of any submitter without consent, except where required by law.

General Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may be closed as Information or NA.

• Submit one report per individual vulnerability. If multiple vulnerabilities could be chained, but still require different fixes, please submit as separate reports and include ID# of the other related reports.

• Multiple vulnerabilities caused by one underlying issue will be treated as one vulnerability; the first report will be triaged as the original, and all future reports will be closed as Duplicate.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Grounds for Disqualification

Attempting any of the following could result in permanent disqualification from the disclosure program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps, or vehicles for other Ford customers.

• Disruption or denial-of-service attacks (Application and Network)
• Social engineering attacks
• Brute-force attacks
• Exfiltration of data
• Code injection on live systems
• The compromise or testing of application accounts that are not your own
• Any threats, attempts at coercion, or extortion of Ford employees, other partner employees, or customers
• Physical attacks against Ford, contractors, or customers
• Any physical attempts against Ford property or data centers
• Access the personal information of any other person without consent
• Any other action that violates the law
• Any action that endangers yourself, other motorists, or pedestrians
• Attacks against manufacturing systems, applications, networks, and infrastructure. This includes transportation, transportation infrastructure, plant machinery, personnel, equipment, and vehicles
• Aggressive vulnerability scans or automated scans on Ford servers (including scans using tools such as Core Impact or Nessus)
  • Keep scans to 45 requests per minute

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Due to the volume of 3rd party assets, including dealerships, partners, suppliers, etc., Ford is excluding low and medium severity 3rd party vulnerabilities from the initial scope. Ford will accept high and critical severity 3rd party vulnerabilities on a case by case basis.

• Self XSS

• Clickjacking on pages with no sensitive actions
• Unauthenticated/logout/login CSRF
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)
• Reports from automated tools or scans that don’t prove a unique, valid security threat
• Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
• Brute force attacks
• Password and account recovery policies, such as reset link expiration or password complexity
• Bypass of URL malware detection
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• Externally hosted services utilized by Ford

Disclosure Policy

• Follow HackerOne's disclosure guidelines __.
• Ford reserves the right to approve or deny any request for disclosure.
• Disclosing vulnerability information without Ford approval may result in a program ban.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for participating in Ford’s Coordinated Disclosure Program.