Description

The BMW Group looks forward to working with the security community to find vulnerabilities in order to keep its products and customers safe and secure. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program and marked as “Eligible”. Please take note of the current scope outlined below.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 1
500
2,000
5,000
10,000
15,000
Tier 1
€500 - €15,000
Tier 2
100
500
1,000
2,000
5,000
Tier 2
€100 - €5,000
Rules of engagement
Not applicable
Not applicable
Not applicable
Not applicable

Policies

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

General Rules

  • Research must be done using your own BMW products. You should not modify products owned by other BMW customers.
  • BMW is not responsible if you damage your product in any way during your research.
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • We will not reimburse you for any costs related to proof of concepts (or else) created by the researcher.

Response Targets

BMW Automotive Team will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response SLA in business days
First Response 2 days
Time to Triage 4 days
Time to Bounty 28 days
Time to Resolution depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of BMW to award.

Domains

Functions dealing with vehicle access and immobilizer

Tier 1
Device
Tier 2
iOS
Tier 2
Android

Remaining functions

Tier 2
Device
In scope

The BMW Group values the work of security researchers in improving the security of our products and services and encourages the community to participate in its bug bounty program. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program.

Critical and exceptional findings can earn you a place on our BMW Security Hall of Fame.

Targets

The BMW Automotive Program aims at our automotive products, this includes besides BMW Group vehicles also our automotive related smartphone apps.

Out of scope

General

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Previously known vulnerable libraries without a working Proof of Concept.
  • Denial of Service by flooding the ECU with bus messages or other inputs.
  • Software version disclosure / Banner identification issues.
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Duplicates

Vulnerabilities that were already known to the BMW Group through our own testing will be flagged as duplicate.
Vulnerabilities that were already reported to the BMW Group will be flagged as duplicate.

During our transitional phase:

For vulnerabilities that have already been reported via our old program at HackerOne but have not yet been resolved, no new bounties will be paid out. These cases are examined individually by the triage team and us and, if applicable, will be closed with a corresponding notice.
This problem will only exist during a transitional period.

Assets

  • The eligibility of BMW Group aftermarket products is decided on a case-by-case basis
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
no reputation No collaboration
Researchers
last contributors
logo
logo
logo
logo
logo
leaderboard
logo
Overall stats
submissions received
8
average payout
N/A
accepted submissions
1
total payouts
N/A
Last 90 day response times
avg. time first response
< 24 hours
avg. time to decide
< 3 days
avg. time to triage
< 2 days
Activity
4/9
BMW
closed a submission
4/9
BMW
closed a submission
4/9
BMW
accepted a submission
4/8
BMW
closed a submission
4/8
BMW
closed a submission
4/8
BMW
closed a submission
4/7
logo
created a submission
4/7
logo
created a submission
4/7
logo
created a submission
4/5
BMW
closed a submission