We hope your testing is going well. Here is an update that should make things a bit more interesting! There have been some updates to the brief to incentivize testing against vehicle targets.

Here are the details that have been updated on the brief:

Critical ($50,000 - $100,000)

• Remote zero-click to unconfined root on infotainment
• Any remote code execution on a CAN-connected ECU, e.g. Autopilot, VCSEC, Gateway
• Infotainment pivot to CAN-connected ECU, e.g. Autopilot, VCSEC, Gateway

High ($20,000 - $50,000)

• Remote one-click to unconfined root on infotainment
• Unconfined root persistence on infotainment or Autopilot
• Remote zero-click on lower-privileged peripherals (WiFi/BT firmware, baseband)
• Local privilege escalation from unprivileged process

Moderate ($10,000 - $20,000)

• Unprivileged remote code execution on infotainment
• Unconfined root on infotainment or Autopilot via ethernet
• Unconfined root on infotainment or Autopilot via USB
• Zero-click radio module remote code execution
• Steam VM escape

Low ($500 - $10,000)

• Unprivileged persistence on infotainment or Autopilot
• Local drive authentication bypass
• PIN-to-Drive bypass

We do not award bounties for:

• Relay attacks
• Hardware-based glitching and side-channel attacks
• Confusing Autopilot by modifying the environment, such as adding lines to the road (CWE-XKCD-1958 attacks)
• Tesla-specific known issues (e.g., publicly reported or previously reported by another researcher)
• Chromium and/or Webkit bugs, unless chained with a full sandbox escape
• Persistence and/or secure boot bypasses on Tegra-based infotainment systems
• Attacks that require physical access on Tegra-based infotainment systems

Payout Factors

• If a vulnerability affects multiple systems, e.g. shared code, bounty will be determined by the highest single amount with a bonus determined at Tesla's discretion
• The bounty amount may be reduced if the attack is unreliable, relies on unusual conditions being met, etc.
• A working proof-of-concept will help ensure you receive the maximum applicable payout for your report
• Internal duplicates that are not yet fixed will still be rewarded at a reduced amount
• Vulnerabilities affecting Tegra-based infotainment systems are rewarded at Tesla's discretion, along with a reduced payout
• Superchargers and related infrastructure are out of scope

If there are any questions please contact support@bugcrowd.com