Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.

For vehicle or product related services
While we use Bugcrowd as a platform for rewarding all issues, for vehicle and product related service issues please notify us at vulnerability@teslamotors.com to provide details. Our GPG public key is available here: https://www.teslamotors.com/sites/default/files/downloads/teslavulnerabilitypgp.asc

Third-party bugs
If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Tesla reserves the right to forward details of the issue along to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process.

Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you providing you comply with the following Responsible Disclosure Guidelines:

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
    • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
    • Do not modify or access data that does not belong to you
    • Give Tesla a reasonable time to correct the issue before making any information public

Targets

In scope

  • *.tesla.com
  • A hardware product that you own or are authorized to test against (Vehicle/PowerWall/etc.)
  • Mobile Applications ("Tesla Model S" on iOS and Android)
  • Any host verified to be owned by Tesla Motors Inc. (domains/IP space/etc.)
  • *.teslamotors.com

Out of Scope

  • *.solarcity.com / Any SolarCity property

Third party websites hosted by non-Tesla entities are not included in this program, including:

  • shop.teslamotors.com (includes shop.[REGION].teslamotors.com)
  • issues only useful in social engineering/Phishing attacks (except in very rare cases)
  • ir.teslamotors.com
  • feedback.teslamotors.com
  • mkto.teslamotors.com
  • *.shareholder.com

Focus Area

  • This program is focused on Tesla's public facing web application
  • When registering for an account at https://www.teslamotors.com/user/register, please use the following format:
    • bugcrowd username@bugcrowdninja.com
    • example: bugcrowd_01@bugcrowdninja.com
  • Vulnerabilities in other discovered applications owned by Tesla (usually subdomains of teslamotors.com)
  • Vehicles or product related services must be submitted via email in order to qualify for a reward. Please go to https://www.teslamotors.com/about/legal#security-vulnerability-reporting-policy for instructions.

The following finding types are specifically excluded from the bounty:

  • Self XSS (except for very special cases)
  • Text injection (except for very special cases)
  • Email spoofing where SPF records are correct but recipient ignores SPF failures or body From: spoofing
  • Descriptive error messages (e.g. stack traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Internal IP address disclosure
  • Full path disclosure / Path disclosure, in almost all cases. Exceptional cases may still be rewarded.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Default files from available via web (e.g. README.TXT, CHANGES.TXT, etc)
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users, (e.g. the contact form).
  • Login/Logout Cross-Site Request Forgery (CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
    • Exceptional cases may still be in scope, e.g.: session cookies on critical systems
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha/Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration by brute forcing / error messages, e.g.: Login / Signup / Password forgot
    • Exceptional cases may still be in scope, e.g.: ability to enumerate email addresses via incrementing a parameter
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers#):
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • TLS/SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak/insecure cipher suites
  • Denial of Service attacks
  • Out of date software versions
  • Open redirects

Rewards

We pay rewards ranging from $100 to $10,000. Rewards are administered according to the following guidelines:

  • XSS: $200–$500
  • CSRF: $100–$500
  • SQL: $500–$10,000
  • Command injection: Up to $10,000
  • Authentication bypass: Up to $10,000
  • Business logic issues: $100–$300
  • Horizontal privilege escalation: $500
  • Vertical privilege escalation: $500–$10,000
  • Forceful browsing/Insecure direct object references: $100–$500
  • Security misconfiguration: Up to $200
  • Sensitive data exposure: Up to $300

  • Vehicle or product related vulnerabilities: case-by-case basis (report directly to vulnerability@teslamotors.com)

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

We support the open publication of security research. We do ask that you give us a heads-up before any publication so we can do a final sync-up and check.