- $100 – $15,000 per vulnerability
Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process. We will coordinate and communicate with researchers through the bug bounty process.
For vehicle or energy products
While we use Bugcrowd as a platform for rewarding all issues, please report vehicle and product related issues directly to firstname.lastname@example.org, using our GPG key to encrypt reports containing sensitive information.
If issues reported to our bug bounty program affect a third-party library, external project, or another vendor, Tesla reserves the right to forward details of the issue to that party without notification to the researcher.
Note, Tesla's bug bounty program is in part facilitated through a third party (BugCrowd) who performs additional services and eligibility checks on our behalf. For example, Tesla may not issue payments if one or more of the following is applicable:
You are a resident of a country under U.S. sanctions or live in a country that prohibits this type of program,
You are under the age of 14 at the time of reporting, or between the age of 14 and 18 without explicit prior permission from a parent or guardian.
You are currently (or were in the last 6 months) an employee of Tesla, a Tesla subsidiary, or third-party contractor with access to Tesla’s internal systems and networks.
How the program works
- Security researchers and Tesla customers are encouraged to submit reports regarding the security measures used to protect Tesla products and services.
- When conducting security research, you are required to follow Responsible Disclosure Guidelines & Tesla’s Rules of Engagement (referred to as “Terms”), which are provided below.
- If a vulnerability is found, please document your findings thoroughly before sending them to us. This may include screenshots or videos of your findings.
- Members of Tesla’s team may contact you to confirm that we have received your submission, ask questions about your findings, and discuss how to reproduce them.
- Tesla may direct you to stop your activities in the event that your research impacts Tesla owned assets, Tesla vendors, or other customers. If directed to stop, you must immediately comply with the request.
- Tesla’s security team will then work with impacted business units to validate the findings.
- If Tesla can validate your findings and we determine that it is eligible for a reward under this program’s Terms, a bounty reward will be issued.
- You are responsible for the payment of all applicable taxes.
Responsible Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you, so long as you comply with the Terms.
Do not access or modify data that does not belong to you. If you are able to gain access to or modify data that belongs to Tesla, other customers, or Tesla vendors during the course of your research, you must take the following actions:
- Immediately stop your activities,
- Disclose your findings to Tesla as soon as possible (but no later than 24 hours after discovery). Your findings should include details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC),
- Wait for further instruction from the Tesla team.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Give Tesla a reasonable time to correct the issue before making any information public. In certain circumstances, Tesla may request that you not disclose your findings or to delay disclosure until we can ensure that the matter has been adequately addressed. You may not disclose confirmed, unresolved vulnerabilities without approval from Tesla.
Rules of Engagement
Research must be done using your own account or Tesla products that you own. You should not intentionally modify online accounts, data or products owned by other Tesla customers (without explicit permission). If during the course of your research, you find a vulnerability that would allow you to bypass an authentication control for another person’s account, you should report the vulnerability to Tesla immediately and take no further action.
If you are able to access or modify personal data of other customers or other sensitive data that does not belong to you, immediately contact Tesla. Do not attempt to conduct post-exploitation work with this data.
Where you are able to access data that does not belong to you, you will be asked to delete it. You must comply with this request, demonstrate the steps you took to ensure it was deleted, and confirm deletion to Tesla in order to be eligible for a reward.
Do not attempt to use brute force or denial of service attacks on Tesla-owned systems without prior written approval.
Hardware Research Registration
Hardware Research Registration: If you are performing good-faith bug bounty related research on hardware that you own (vehicles or Powerwall, for example), you must first register the hardware with Tesla via email@example.com.
This is necessary to prevent warranty-related issues. Registering also permits Tesla to voluntarily support researchers by providing updates or a “reflash” of the researcher-owned vehicle or Powerwall.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
We support the open publication of security research. We do ask that you give us a heads-up before any publication so we can do a final sync-up and check.