VULNERABILITY DISCLOSURE PROGRAM.

It is Mercedes-Benz AG’s goal to offer its customers the best and most secure products such as connected cars and other services. Even though we continuously strive to build secure products & services, there can still be some vulnerabilities present.

Thus, we encourage the security researchers from all over the world to report the vulnerabilities that can potentially be identified in any of our products, systems, or assets. We appreciate those of you who have supported us in rectifying the vulnerabilities to ensure the least amount of impact and risk to our organization and our customers.

As we mature and revise the below Disclosure Guidelines, please continue to check here for the updates.
REWARD.

We are happy to announce that Mercedes-Benz AG has taken its first step in recognizing the efforts of all the valuable reports with the help of Hall of Fame for all those researchers around the globe who are also the first one to report the potential high severity vulnerability.

SAFETY FIRST.

Safety first! Don't do anything that could cause harm to yourself or others. Keep in mind that a vehicle has several systems like airbags that could cause serious injury when misused. If in doubt, let it be. 

If you work on a vehicle, do not try anything that could interfere with road safety and do not experiment on public roads. Only perform testing in a safe place with a stationary vehicle. 

Use special caution when interacting with safety-critical devices such as brake systems, steering components, the engine or high voltage components like the car battery.

LEGAL.

Always obey your local laws! 

If you work on a product or vehicle, use only a vehicle that you own or have the owners permission to work on. Do not modify or copy data that doesn't belong to you. We explicitly reject criminal activity in any form. 

We utilize code written by third parties and that code parts belong to their respective owners. We cannot grant you permission to reverse engineer any of that code.

SAFE HARBOUR.

Mercedes-Benz pledges not to initiate any legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to our policy.
COORDINATED DISCLOSURE GUIDELINES:

Program Exclusions.

Discovering vulnerabilities from applications/systems not listed in scope, Denial of Service (DoS/DDoS), Brute Force attacks and Social Engineering attacks are prohibited. Only vulnerabilities with security impact will be considered.
  • Self-XSS [to be valid, cross-site scripting issues must be exploitable in reflected, stored or DOM-based types]
  • Content spoofing / text injection.
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • Cross-Site Tracing (XST)
  • Open redirects with low security impact (exceptions are those cases where the impact is higher such as stealing auth tokens)
  • Missing http security headers
  • Missing cookie flags on non-sensitive cookies
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM)
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • SSL/TLS best practices
  • Clickjacking/UI redressing with no practical security impact
  • Software version disclosure
  • Username / email enumeration via Login Page or Forgot Password Page error messages
  • Methods to extend product trial periods.
HOW TO SUBMIT A VULNERABILITY

To disclose a potential vulnerability, please email the Information Security and Privacy Teams: security@mercedes-benz.com using PGP or S/MIME. The corresponding public key can be requested here.
SUBMISSION FORMAT

When reporting a potential vulnerability, please include a detailed description of the vulnerability that allows us to reproduce it: tools utilized, target, processes, and results.

Please support your findings by attaching any pertinent artifacts used for discovery. Though not required for review and validation/verification of the vulnerability, if you have information regarding the remediation of the vulnerability, please share your proposed resolution.

If possible, please reach out to us in English as reports in other languages might take significant more time for us to reply.
ACKNOWLEDGEMENT AND RESPONSE

We try to answer your report within two business days with a first acknowledgement and ato complete our internal analysis within five business days.

If we need any additional information, we will let you know. In addition, we will keep you updated on the remediation process steps as current as possible.

Note: We do not guarantee the above timelines, however our team of experts will try their best to keep of you updated about the reported vulnerability. If you found a flaw in our vehicles, please note that fixing a bug in a vehicle is a substantially different process than fixing a bug in classic IT systems. Vehicle software needs to meet high safety and regulatory requirements; therefore fixing a bug takes significantly more time.
OUT OF SCOPE

The following are out of scope for submittal under the Responsible Disclosure Policy. Out-of-scope vulnerabilities include:

  • Social Engineering, Such as Attempts to Steal Cookies, Fake LogIn Pages to Collect Credentials, and Phishing
  • Resource Exhaustion Attacks
  • Physical Testing
  • Denial of Service Attacks
  • Some Dealerships use a subdomain of mercedes-benz.com to host their websites. Reporting of vulnerability information for those dealership will be determined at the discretion of Mercedes-Benz Group.
Eligible Vulnerabilities

We encourage the coordinated disclosure of the following eligible vulnerabilities:

Vehicles

  • OWASP Embedded Application Security Top 10
  • Remote Code Execution
  • Sensitive Data Exposure
  • Broken Authentication
  • Compromise of update mechanisms, e.g. Flashing an ECU with arbitrary firmware
  • Remote sending of arbitrary data on in-vehicle bus systems (CAN,LIN, Flexray, etc)
  • Unlocking vehicle functions
IT SYSTEMS
  • Injection
  • Broken Authentication and Session Management
  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Directory Traversal
  • Disclosure of potential sensitive information
  • Significant Security Misconfiguration
  • Using Components with known vulnerabilities
  • Unvalidated Redirects and Forwards
HALL OF FAME:
We appreciate the efforts made by researchers in providing us with feedback on security issues. We offer Hall of Fame recognition for vulnerabilities reported on a DISCRETIONARY basis. If your submission does qualify for it, we will reach out accordingly.

Year 2022.
  • Marc-Oliver Munz – X
  • Cosme Sousa - LinkedIn
  • Everton Silva - LinkedIn
  • Jose Carlos Exposito
  • Rajat Sharma - X
  • Mammad Rahimzada - LinkedIn
  • Shoeb Shaikh - X
  • Vinayak Sakhare - LinkedIn
  • HAYKEL ELouaer - X


Year 2023.