About
The Ford Vision
People working together as a lean, global enterprise to make people’s lives
better through automotive and mobility leadership.
Innovation
The Ford Motor company has maintained its position as a leader in the
automotive industry through its innovative people, technologies, and
communities __. The principle of
innovation applies to all aspects of Ford, including security. The Coordinated
Disclosure Program is a modern, yet essential security tool, and we need your
help to expand its reach.
Ford will be selecting top researchers from our programs to participate in
future special hacking projects. We’re excited to work with HackerOne and the
hacker community to help keep Ford customers safe.
Eligibility
- You must be 18 years old or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
- You are an individual security researcher participating in your own individual capacity.
- If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.
Researchers who meet any of the following criteria are ineligible for
participation:
- A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.
- A current employee of Ford Motor Company or a Ford subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
- A contingent staff member or contractor or vendor employee currently working with Ford.
Response Targets
If we require additional information from you, please allow for another 2-3
days for our team to review and respond to new comments.
Response Target | Time (in business days)
---|---
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Resolution | Depends on severity and complexity
Test Instructions
All assets in scope are on production; no VPN or credentials are required for
testing.
Reporting Criteria
All reports will be evaluated based on the following criteria:
- Steps to reproduce the vulnerability 2 Working proof of concept
- Business impact
- Effort required to exploit the vulnerability
- Likelihood of vulnerability being discovered
Valuable Vulnerabilities
- Remote Code Execution
- SQL Injection
- Privilege Escalation to Admin Level
- XML Injection
- Insecure Direct Object Reference
Example of valuable vulnerability
High
- Summary: Authentication Bypass was found on a mobile to web application. Access to certain functions was disabled by client-side javascript. By removing the necessary variables, a user is able to use features that were previously restricted.
Ford Coordinated Disclosure Rules
General Program Rules
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may be closed as Information or NA.
-
Submit one report per individual vulnerability. If multiple vulnerabilities could be chained, but still require different fixes, please submit as separate reports and include ID# of the other related reports.
-
Multiple vulnerabilities caused by one underlying issue will be treated as one vulnerability; the first report will be triaged as the original, and all future reports will be closed as Duplicate.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Grounds for Disqualification
Attempting any of the following could result in permanent disqualification
from the disclosure program and possible criminal and/or legal investigation.
We do not allow any actions that could negatively impact the experience on our
websites, apps, or vehicles for other Ford customers.
- Disruption or denial-of-service attacks (Application and Network)
- Social engineering attacks
- Brute-force attacks
- Exfiltration of data
- Code injection on live systems
- The compromise or testing of application accounts that are not your own
- Any threats, attempts at coercion, or extortion of Ford employees, other partner employees, or customers
- Physical attacks against Ford, contractors, or customers
- Any physical attempts against Ford property or data centers
- Access the personal information of any other person without consent
- Any other action that violates the law
- Any action that endangers yourself, other motorists, or pedestrians
- Attacks against manufacturing systems, applications, networks, and infrastructure. This includes transportation, transportation infrastructure, plant machinery, personnel, equipment, and vehicles
- Aggressive vulnerability scans or automated scans on Ford servers (including scans using tools such as Core Impact or Nessus)
- Keep scans to 45 requests per minute
Out-of-Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
-
Due to the volume of 3rd party assets, including dealerships, partners, suppliers, etc., Ford is excluding low and medium severity 3rd party vulnerabilities from the initial scope. Ford will accept high and critical severity 3rd party vulnerabilities on a case by case basis.
-
Self XSS
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login CSRF
- Attacks requiring MITM or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS)
- Reports from automated tools or scans that don’t prove a unique, valid security threat
- Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
- Brute force attacks
- Password and account recovery policies, such as reset link expiration or password complexity
- Bypass of URL malware detection
- Vulnerabilities affecting users of outdated or unpatched browsers and platforms
- Externally hosted services utilized by Ford
Disclosure Policy
- Follow HackerOne's disclosure guidelines __.
- Ford reserves the right to approve or deny any request for disclosure.
- Disclosing vulnerability information without Ford approval may result in a program ban.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for participating in Ford’s Coordinated Disclosure Program.