|Scope Type||Scope Name|
The Ford Vision
People working together as a lean, global enterprise to make people’s lives better through automotive and mobility leadership.
The Ford Motor company has maintained its position as a leader in the automotive industry through its innovative people, technologies, and communities __. The principle of innovation applies to all aspects of Ford, including security. The Coordinated Disclosure Program is a modern, yet essential security tool, and we need your help to expand its reach.
Ford will be selecting top researchers from our programs to participate in future special hacking projects. We’re excited to work with HackerOne and the hacker community to help keep Ford customers safe.
If we require additional information from you, please allow for another 2-3 days for our team to review and respond to new comments.
Response Target | Time (in business days)
First response (from report submit) | 2 days
Triage (from report submit) | 2 days
Resolution | Depends on severity and complexity
All assets in scope are on production; no VPN or credentials are required for testing.
All reports will be evaluated based on the following criteria:
A vulnerability should NOT be dependent on another vulnerability. Each vulnerability should be executable on its own.
No damage caused to a vehicle by modification will be covered under warranty.
Submit one report per individual vulnerability. If multiple vulnerabilities could be chained, but still require different fixes, please submit as separate reports and include ID# of the other related reports.
Multiple vulnerabilities caused by one underlying issue will be treated as one vulnerability; the first report will be triaged as the original, and all future reports will be closed as Duplicate.
Attempting any of the following could result in permanent disqualification from the disclosure program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps, or vehicles for other Ford customers.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Due to the volume of 3rd party assets, including dealerships, partners, suppliers, etc., Ford is excluding low and medium severity 3rd party vulnerabilities from the initial scope. Ford will accept high and critical severity 3rd party vulnerabilities on a case by case basis.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for participating in Ford’s Coordinated Disclosure Program.