Bountytalk Launched

Author Topic: Ford Bug Bounty  (Read 167 times)


  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Ford Bug Bounty
« on: July 26, 2023, 07:29:16 PM »
submit bug report:

The Ford Vision
People working together as a lean, global enterprise to make people’s lives better through automotive and mobility leadership.
The Ford Motor company has maintained its position as a leader in the automotive industry through its innovative people, technologies, and communities. The principle of innovation applies to all aspects of Ford, including security. The Coordinated Disclosure Program is a modern, yet essential security tool, and we need your help to expand its reach.
Ford will be selecting top researchers from our programs to participate in future special hacking projects. We’re excited to work with HackerOne and the hacker community to help keep Ford customers safe.
You must be 18 years old or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
You are an individual security researcher participating in your own individual capacity.
If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.
Researchers who meet any of the following criteria are ineligible for participation:
A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.
A current employee of Ford Motor Company or a Ford subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
A contingent staff member or contractor or vendor employee currently working with Ford.
Response Targets
If we require additional information from you, please allow for another 2-3 days for our team to review and respond to new comments.
Response Target   Time (in business days)
First response (from report submit)   2 days
Triage (from report submit)   2 days
Resolution   Depends on severity and complexity
Test Instructions
All assets in scope are on production; no VPN or credentials are required for testing.
Reporting Criteria
All reports will be evaluated based on the following criteria:
Steps to reproduce the vulnerability 2 Working proof of concept
Business impact
Effort required to exploit the vulnerability
Likelihood of vulnerability being discovered
Valuable Vulnerabilities
Remote Code Execution
SQL Injection
Privilege Escalation to Admin Level
XML Injection
Insecure Direct Object Reference
Example of valuable vulnerability
Summary: Authentication Bypass was found on a mobile to web application. Access to certain functions was disabled by client-side javascript. By removing the necessary variables, a user is able to use features that were previously restricted.
Ford Coordinated Disclosure Rules
The same vulnerability that is found on multiple domains will be treated as a SINGLE vulnerability. Please report all affected domains (e.g.,,, etc.) on a single report. All subsequent reports will be closed as a Duplicate.
Do not modify a vehicle that is used on public roads in a manner that could affect the safety of you, other motorists, or pedestrians.
Do not modify or access data that does not belong to you.
A vulnerability should NOT be dependent on another vulnerability. Each vulnerability should be executable on its own.
No damage caused to a vehicle by modification will be covered under warranty.
Although Ford will not retaliate against legitimate participants who comply with the Coordinated Disclosure Guidelines, we cannot represent the position of other entities, such as law enforcement or other copyright owners.
In return for Ford’s consideration of Participant’s submission, which Participant hereby acknowledges as sufficient consideration, Participant waives any claims related to confidentiality and grants Ford a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up, sub-licensable and transferable right to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted, and Participant also covenants not to sue Ford based on any content submitted and for any actions taken by Ford related to any submission.
Ford will not publicly disclose the identity of any submitter without consent, except where required by law.
General Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may be closed as Information or NA.
Submit one report per individual vulnerability. If multiple vulnerabilities could be chained, but still require different fixes, please submit as separate reports and include ID# of the other related reports.
Multiple vulnerabilities caused by one underlying issue will be treated as one vulnerability; the first report will be triaged as the original, and all future reports will be closed as Duplicate.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Grounds for Disqualification
Attempting any of the following could result in permanent disqualification from the disclosure program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps, or vehicles for other Ford customers.
Disruption or denial-of-service attacks (Application and Network)
Social engineering attacks
Brute-force attacks
Exfiltration of data
Code injection on live systems
The compromise or testing of application accounts that are not your own
Any threats, attempts at coercion, or extortion of Ford employees, other partner employees, or customers
Physical attacks against Ford, contractors, or customers
Any physical attempts against Ford property or data centers
Access the personal information of any other person without consent
Any other action that violates the law
Any action that endangers yourself, other motorists, or pedestrians
Attacks against manufacturing systems, applications, networks, and infrastructure. This includes transportation, transportation infrastructure, plant machinery, personnel, equipment, and vehicles
Aggressive vulnerability scans or automated scans on Ford servers (including scans using tools such as Core Impact or Nessus)
Keep scans to 45 requests per minute
Out-of-Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Due to the volume of 3rd party assets, including dealerships, partners, suppliers, etc., Ford is excluding low and medium severity 3rd party vulnerabilities from the initial scope. Ford will accept high and critical severity 3rd party vulnerabilities on a case by case basis.
Self XSS
Clickjacking on pages with no sensitive actions
Unauthenticated/logout/login CSRF
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration
Any activity that could lead to the disruption of our service (DoS)
Reports from automated tools or scans that don’t prove a unique, valid security threat
Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
Brute force attacks
Password and account recovery policies, such as reset link expiration or password complexity
Bypass of URL malware detection
Vulnerabilities affecting users of outdated or unpatched browsers and platforms
Externally hosted services utilized by Ford
Disclosure Policy
Follow HackerOne's disclosure guidelines.
Ford reserves the right to approve or deny any request for disclosure.
Disclosing vulnerability information without Ford approval may result in a program ban.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for participating in Ford’s Coordinated Disclosure Program.