Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on June 14, 2023, 07:08:40 pm
-
submit bug report:http://ford.com
About
The Ford Vision
People working together as a lean, global enterprise to make people’s lives better through automotive and mobility leadership.
Innovation
The Ford Motor company has maintained its position as a leader in the automotive industry through its innovative people, technologies, and communities. The principle of innovation applies to all aspects of Ford, including security. The Coordinated Disclosure Program is a modern, yet essential security tool, and we need your help to expand its reach.
Ford will be selecting top researchers from our programs to participate in future special hacking projects. We’re excited to work with HackerOne and the hacker community to help keep Ford customers safe.
Eligibility
You must be 18 years old or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
You are an individual security researcher participating in your own individual capacity.
If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.
Researchers who meet any of the following criteria are ineligible for participation:
A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.
A current employee of Ford Motor Company or a Ford subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
A contingent staff member or contractor or vendor employee currently working with Ford.
Reporting Criteria
All reports will be evaluated based on the following criteria:
Steps to reproduce the vulnerability 2 Working proof of concept
Business impact
Effort required to exploit the vulnerability
Likelihood of vulnerability being discovered
Valuable Vulnerabilities
Remote Code Execution
SQL Injection
Privilege Escalation to Admin Level
XML Injection
Insecure Direct Object Reference
Ford Coordinated Disclosure Rules
The same vulnerability that is found on multiple domains will be treated as a SINGLE vulnerability. Please report all affected domains (e.g. ford.com.ca, ford.com.mx, ford.com.br, etc.) on a single report. All subsequent reports will be closed as a Duplicate.
Do not modify a vehicle that is used on public roads in a manner that could affect the safety of you, other motorists, or pedestrians.
Do not modify or access data that does not belong to you.
A vulnerability should NOT be dependent on another vulnerability. Each vulnerability should be executable on its own.
No damage caused to a vehicle by modification will be covered under warranty.
Although Ford will not retaliate against legitimate participants who comply with the Coordinated Disclosure Guidelines, we cannot represent the position of other entities, such as law enforcement or other copyright owners.
In return for Ford’s consideration of Participant’s submission, which Participant hereby acknowledges as sufficient consideration, Participant waives any claims related to confidentiality and grants Ford a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up, sub-licensable and transferable right to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted, and Participant also covenants not to sue Ford based on any content submitted and for any actions taken by Ford related to any submission.
Ford will not publicly disclose the identity of any submitter without consent, except where required by law.
General Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may be closed as Information or NA.
Submit one report per individual vulnerability. If multiple vulnerabilities could be chained, but still require different fixes, please submit as separate reports and include ID# of the other related reports.
Multiple vulnerabilities caused by one underlying issue will be treated as one vulnerability; the first report will be triaged as the original, and all future reports will be closed as Duplicate.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Grounds for Disqualification
Attempting any of the following could result in permanent disqualification from the disclosure program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps, or vehicles for other Ford customers.
Disruption or denial-of-service attacks (Application and Network)
Social engineering attacks
Brute-force attacks
Exfiltration of data
Code injection on live systems
The compromise or testing of application accounts that are not your own
Any threats, attempts at coercion, or extortion of Ford employees, other partner employees, or customers
Physical attacks against Ford, contractors, or customers
Any physical attempts against Ford property or data centers
Access the personal information of any other person without consent
Any other action that violates the law
Any action that endangers yourself, other motorists, or pedestrians
Attacks against manufacturing systems, applications, networks, and infrastructure. This includes transportation, transportation infrastructure, plant machinery, personnel, equipment, and vehicles
Aggressive vulnerability scans or automated scans on Ford servers (including scans using tools such as Core Impact or Nessus)
Keep scans to 45 requests per minute