At Ford, we strive to provide a high level of safety and security to our employees, our suppliers, and most importantly our customers. Engaging the security community is a key aspect of Ford’s security strategy and this program seeks to harness the collective knowledge and skill of individual researchers.
At a high level, the scope of this program is straightforward and all-encompassing: the entirety of Ford’s public digital footprint. Key inclusions and exclusions are detailed in sections below. We will investigate legitimate reports quickly on behalf of our customers when we determine action is needed.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Due to the breadth of available attack surface for this program, when reporting a vulnerability, please be sure to specify exactly where the vulnerability is found.
No special tools or technology are required to access this program. All public-facing sites/systems owned and operated by Ford Motor Company are in scope for this program. Credentials will not be provided for any application, service, server, network, or any other item of Ford’s requiring credentials.
Please be aware when testing any dealer site that these sites are quite commonly all part of a shared CMS/code base - which unfortunately means that they are not only systemic but will also be a one-push fix. We will consider the first instance of any valid issue as
accepted, and then all others will be marked as
N/A. The most common example of this is for
FordDirectsites - to check if a given site is a FordDirect site, simply search on the page for “Copyright © 2018 FordDirect” (or similar), and that should give a good idea of whether or not the site runs off this shared code base. However, it is critical to note that this is just the most common manifestation of systemic issues that we're immediately aware of - and that there may be (and likely are) other systemic targets that we'll update to the brief as we encounter them.
To encourage responsible reporting, we will not retaliate against any participant who complies with the following Coordinated Disclosure Guidelines (unless required to by law):
- Do not modify a vehicle that is used on public roads in a manner that could affect the safety of you, other motorists, or pedestrians.
- Provide details of the vulnerability and exploit methodology, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not modify or access data that does not belong to you.
- Do not use vulnerabilities (reported or not-yet-reported) to pivot and discover further vulnerabilities.
Additionally, it is important to note the following limitations and requirements:
- No damage caused to a vehicle by modification will be covered under warranty.
- Although Ford will not retaliate against legitimate participants who comply with the Coordinated Disclosure Guidelines, we cannot represent the position of other entities, such as law enforcement or other copyright owners.
- In return for Ford’s consideration of Participant’s submission, which Participant hereby acknowledges as sufficient consideration, Participant waives any claims related to confidentiality and grants Ford a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, fully paid-up, sub-licensable and transferable right to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted, and Participant also covenants not to sue Ford based on any content submitted and for any actions taken by Ford related to any submission.
- Ford will not publicly disclose the identity of any submitter without consent, except where required by law.
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites, apps, or vehicles for other Ford customers.
- Disruption or denial-of-service attacks (Application and Network)
- Social engineering attacks
- Brute-force attacks
- Exfiltration of data
- Code injection on live systems
- The compromise or testing of application accounts that are not your own
- Any threats, attempts at coercion, or extortion of Ford employees, other partner employees, or customers
- Physical attacks against Ford, contractors, or customers
- Any physical attempts against Ford property or data centers
- Vulnerability scans or automated scans on Ford servers (including scans using tools such as Core Impact or Nessus)
- Access the personal information of any other person without consent
- Any other action that violates the law
- Any action that endangers yourself, other motorists, or pedestrians
- Attacks against manufacturing systems, applications, networks, and infrastructure. This includes transportation, transportation infrastructure, plant machinery, personnel, equipment, and vehicles
Furthermore, submitting the following types of issues will result in your submission being marked as
- Attacks requiring physical access to a user's device
- Password and account recovery policies, such as reset link expiration or password complexity
- Content spoofing / text injection
- Non-session cookies missing secure/httponly flags
- Reports from automated tools or scans
- Reports of spam
- Bypass of URL malware detection
- Vulnerabilities affecting users of outdated or unpatched browsers and platforms
- Reconnaissance without proof of a vulnerability
- Externally hosted services utilized by Ford
You are eligible to participate if:
- You must be 18 years old or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
- You are an individual security researcher participating in your own individual capacity.
- If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing your employer’s rules for participating in this program.
Not Eligible to Participate:
- A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria or Crimea, nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.
- A current employee of Ford Motor Company or a Ford subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
- A contingent staff member or contract or vendor employee currently working with Ford.