Tesla

  • $100 – $100,000 per vulnerability
  • Partial safe harbor

NEW REWARDS section on the brief - Vehicle Targets being paid up to $100k!

We hope your testing is going well. Here is an update that should make things a bit more interesting! There have been some updates to the brief to incentivize testing against vehicle targets.

Here are the details that have been updated on the brief:

Critical ($50,000 - $100,000)

  • Remote zero-click to unconfined root on infotainment
  • Any remote code execution on a CAN-connected ECU, e.g. Autopilot, VCSEC, Gateway
  • Infotainment pivot to CAN-connected ECU, e.g. Autopilot, VCSEC, Gateway

High ($20,000 - $50,000)

  • Remote one-click to unconfined root on infotainment
  • Unconfined root persistence on infotainment or Autopilot
  • Remote zero-click on lower-privileged peripherals (WiFi/BT firmware, baseband)
  • Local privilege escalation from unprivileged process

Moderate ($10,000 - $20,000)

  • Unprivileged remote code execution on infotainment
  • Unconfined root on infotainment or Autopilot via ethernet
  • Unconfined root on infotainment or Autopilot via USB
  • Zero-click radio module remote code execution
  • Steam VM escape

Low ($500 - $10,000)

  • Unprivileged persistence on infotainment or Autopilot
  • Local drive authentication bypass
  • PIN-to-Drive bypass

We do not award bounties for:

  • Relay attacks
  • Hardware-based glitching and side-channel attacks
  • Confusing Autopilot by modifying the environment, such as adding lines to the road (CWE-XKCD-1958 attacks)
  • Tesla-specific known issues (e.g., publicly reported or previously reported by another researcher)
  • Chromium and/or Webkit bugs, unless chained with a full sandbox escape
  • Persistence and/or secure boot bypasses on Tegra-based infotainment systems
  • Attacks that require physical access on Tegra-based infotainment systems

Payout Factors

  • If a vulnerability affects multiple systems, e.g. shared code, bounty will be determined by the highest single amount with a bonus determined at Tesla's discretion
  • The bounty amount may be reduced if the attack is unreliable, relies on unusual conditions being met, etc.
  • A working proof-of-concept will help ensure you receive the maximum applicable payout for your report
  • Internal duplicates that are not yet fixed will still be rewarded at a reduced amount
  • Vulnerabilities affecting Tegra-based infotainment systems are rewarded at Tesla's discretion, along with a reduced payout
  • Superchargers and related infrastructure are out of scope

If there are any questions please contact support@bugcrowd.com