It is Mercedes-Benz AG’s goal to offer its customers the best and most secure products such as connected cars and other services. Even though we continuously strive to build secure products & services, there can still be some vulnerabilities present.
Thus, we encourage the security researchers from all over the world to report the vulnerabilities that can potentially be identified in any of our products, systems, or assets. We appreciate those of you who have supported us in rectifying the vulnerabilities to ensure the least amount of impact and risk to our organization and our customers.
As we mature and revise the below Disclosure Guidelines, please continue to check here for the updates.
We are happy to announce that Mercedes-Benz AG has taken its first step in recognizing the efforts of all the valuable reports with the help of Hall of Fame for all those researchers around the globe who are also the first one to report the potential high severity vulnerability.
Safety first! Don't do anything that could cause harm to yourself or others. Keep in mind that a vehicle has several systems like airbags that could cause serious injury when misused. If in doubt, let it be.
If you work on a vehicle, do not try anything that could interfere with road safety and do not experiment on public roads. Only perform testing in a safe place with a stationary vehicle.
Use special caution when interacting with safety-critical devices such as brake systems, steering components, the engine or high voltage components like the car battery.
Always obey your local laws!
If you work on a product or vehicle, use only a vehicle that you own or have the owners permission to work on. Do not modify or copy data that doesn't belong to you. We explicitly reject criminal activity in any form.
We utilize code written by third parties and that code parts belong to their respective owners. We cannot grant you permission to reverse engineer any of that code.
Mercedes-Benz pledges not to initiate any legal action against researchers for penetrating or attempting to penetrate our systems as long as they adhere to our policy.
Discovering vulnerabilities from applications/systems not listed in scope, Denial of Service (DoS/DDoS), Brute Force attacks and Social Engineering attacks are prohibited. Only vulnerabilities with security impact will be considered.
To disclose a potential vulnerability, please email the Information Security and Privacy Teams: firstname.lastname@example.org using PGP or S/MIME. The corresponding public key can be requested here.
When reporting a potential vulnerability, please include a detailed description of the vulnerability that allows us to reproduce it: tools utilized, target, processes, and results.
Please support your findings by attaching any pertinent artifacts used for discovery. Though not required for review and validation/verification of the vulnerability, if you have information regarding the remediation of the vulnerability, please share your proposed resolution.
If possible, please reach out to us in English as reports in other languages might take significant more time for us to reply.
We try to answer your report within two business days with a first acknowledgement and ato complete our internal analysis within five business days.
If we need any additional information, we will let you know. In addition, we will keep you updated on the remediation process steps as current as possible.
Note: We do not guarantee the above timelines, however our team of experts will try their best to keep of you updated about the reported vulnerability. If you found a flaw in our vehicles, please note that fixing a bug in a vehicle is a substantially different process than fixing a bug in classic IT systems. Vehicle software needs to meet high safety and regulatory requirements; therefore fixing a bug takes significantly more time.
The following are out of scope for submittal under the Responsible Disclosure Policy. Out-of-scope vulnerabilities include:
We encourage the coordinated disclosure of the following eligible vulnerabilities: