Toyota is committed to maintaining an effective partnership with the cybersecurity community. We value your contributions and appreciate the opportunity to work with you.
Reports submitted through this website for the www.toyota.com and www.lexus.com properties are explicitly in scope and will be accepted for evaluation. Examples include:
Toyota reserves the right to treat additional reports that comply with the program requirements as in scope. Please visit this page again in the future for further announcements as we expand the scope of the program.
Toyota retains discretion to determine whether to accept a report into the program. For example, Toyota will not accept into this program vulnerabilities with minimal security impact or low exploitability, vulnerabilities beyond Toyota’s control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the program requirements. Out of scope vulnerabilities include:
* Clickjacking on pages with no sensitive actions;
* CSRF without a demonstrated vulnerability;
* Security issues in third-party systems integrated with or related to Toyota systems;
* Password and account recovery policies, such as reset link expiration or password complexity;
* Presence of autocomplete attribute on web forms;
* Software version disclosure;
* User ID enumeration;
* Vulnerabilities only affecting outdated or unpatched browsers;
* SSL/TLS configurations without a demonstrated vulnerability;
* Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
* Missing http-only or secure cookie flags unrelated to a vulnerability;
* Missing security headers unrelated to a vulnerability; and
* Attacks against network and security infrastructure.
Toyota agrees not to pursue legal action against researchers who submit in-scope reports and:
* Engage in testing/research of systems without harming Toyota, its customers, employees, or third parties;
* Do not compromise the privacy of Toyota’s customers, employees, or other individuals (e.g. by accessing personal information);
* Do not conduct social engineering, spam, or phishing attacks;
* Do not test the physical security of any property of Toyota or third parties;
* Do not conduct denial-of-service or resource-exhaustion attacks;
* Do not test properties or systems outside the United States;
* Comply with applicable criminal laws;
* Adhere to other applicable laws (other than those that would result only in claims by Toyota);
* Are not a person employed by Toyota or a Toyota supplier, and are not submitting a report by a person employed by Toyota or a Toyota supplier; and
* Comply with the HackerOne Terms and Conditions (https://www.hackerone.com/terms) as well as the terms stated here.
The researcher(s) who submits a report to Toyota through this website agrees not to disclose to a third-party, any information related to that report, the vulnerability reported, nor the fact that a vulnerability has been reported to Toyota. This agreement regarding disclosure applies regardless of whether Toyota had prior knowledge of the information.
You agree that Toyota may disclose the information in a report you submit through this website. Toyota will consider any request from a researcher to make a disclosure, but reserves the right to deny such requests.
How to Submit a Report
To submit a report to Toyota, please use the Submit Report button on this page.
By submitting a report, you represent that you are not located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea; and that you are not identified on, or owned or controlled by or acting on behalf of a party identified on, restricted party lists maintained by the U.S. or other relevant governments.
Expectations for Researchers:
* Well-written reports in English will have a higher chance of faster response and resolution;
* Reports that include proof-of-concept code enable Toyota to better understand and triage the submitted information;
* Reports that include only output from programs may receive lower priority;
* Participating in this program does not give you any right to intellectual property owned by Toyota or a third party;
* Please include how you found the vulnerability; if possible include any potential remediation(s); and
* Please do not include any personal information.
What You Can Expect:
* A timely response to your submission;
* An open dialog to discuss issues;
* Notification when each stage of Toyota’s review has completed; and
* Recognition after the vulnerability has been validated and fixed.
Hall of Fame