Policies

By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Do not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube, Vimeo and other video platforms)

General Rules

• Employees and former employees or contract partners of BMW, its subsidiaries and associated companies, as well as their relatives or household members, are excluded from participation. The exclusion can also be carried out retrospectively and in this case a bounty or bonus can be reclaimed.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
• Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report
• We will not reimburse you for any costs related to proof of concepts (or else) created by the researcher
• We will not provide any test accounts

Dos and Don'ts

Dos

• Always submit proof (e.g., a PoC) regarding the exploitability of your finding
• Provide a detailed report with all necessary, reproducible steps, including the full http requests leading to the exploit
• Only submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation
• Set the request headers according to Intigriti’s guidelines
• Adhere to the rate limitations according to Intigriti’s guidelines

Don'ts

• Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without the explicit consent of the BMW Group
• Do not perform any testing that causes degradation to BMW's services e.g., denial of service, or heavy automated scanning
• Do not access or make changes to customer accounts
• Do not perform social engineering attacks, including phishing
• Do not spam
• Do not perform any physical attacks
• Do not perform any lateral movement or post-exploitation past the initial exploitation

Validation times

Are currently undergoing re-evaluation.
Please note that No bounty findings may take significantly longer to validate.

Check our fix

We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of the BMW Group to award.

This program follows Intigriti's contextual CVSS standard

Where can I get test credentials?

We currently don’t offer any credentials to test user roles.

I believe I have found a vulnerable asset related to BMW but I am not sure if the asset actually belongs to BMW. Can I still report it?

Yes! If you are unsure if the vulnerable asset you found belongs to BMW and you believe that it is not owned by an independent retailer, importer, service provider, fan club, etc. please use the "Other BMW Domains" asset to report this vulnerability. Note that these assets are not eligible for bounty but we may award a bonus for high, critical and exceptional severity findings.