Policies

By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Do not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

General Rules

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
• Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report
• We will not reimburse you for any costs related to proof of concepts (or else) created by the researcher
• We will not provide any test accounts

Dos and Don'ts

Dos

• Always submit proof (e.g., a PoC) regarding the exploitability of your finding
• Provide a detailed report with reproducible steps, including the full http requests leading to the exploit
• Only submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation
• Set the request headers according to Intigriti’s guidelines
• Adhere to the rate limitations according to Intigriti’s guidelines

Don'ts

• Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without the explicit consent of the BMW Group
• Do not perform any testing that causes degradation to BMW's services e.g., denial of service, or heavy automated scanning
• Do not access or make changes to customer accounts
• Do not perform social engineering attacks, including phishing
• Do not spam
• Do not perform any physical attacks
• Any lateral movement and post-exploitation past the initial exploitation is forbidden

Validation times

Are currently undergoing re-evaluation.
Please note that No bounty findings may take significantly longer to validate.

Check our fix

We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of the BMW Group to award.

The BMW Group values the work of security researchers in improving the security of our products and services and encourages the community to participate in its bug bounty program. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program.

Critical and exceptional findings can earn you a place on our BMW Security Hall of Fame.

For submissions, please ensure the following requirements are met:

Browsers

Browsers have to be up to date (latest released stable version) on the day of submission. Vulnerabilities which require certain plugins are out of scope.
Only the following browsers are in scope:

• Chrome
• Firefox
• Safari
• Edge

Targets

Only the targets listed above are in scope.

Feedback

Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

General

• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that only work on software that no longer receive security updates
• Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Reports that state that software is out of date/vulnerable without a proof-of-concept

Duplicates

Vulnerabilities that were already known to the BMW Group through our own testing will be flagged as duplicate.
Vulnerabilities that were already reported to the BMW Group will be flagged as duplicate.

During our transitional phase:
For vulnerabilities that have already been reported via our old program at HackerOne but have not yet been resolved, no new bounties will be paid out. These cases are examined individually by the triage team and us and, if applicable, will be closed with a corresponding notice.
This problem will only exist during a transitional period.

Assets

• Everything not explicitly listed as in scope
• All subdomains of the domains in scope
• Pages redirecting to non-BMW domains

Vulnerabilities

• Wordpress usernames disclosure
• Pre-Auth Account takeover/OAuth squatting
• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Reverse tabnabbing
• Bypassing rate-limits or the non-existence of rate-limits.
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking without proven impact/unrealistic user interaction
• CSV Injection
• Sessions not being invalidated (logout, enabling 2FA, etc.)
• Tokens leaked to third parties
• Anything related to email spoofing, SPF, DMARC or DKIM
• Content injection without being able to modify the HTML
• Username/email enumeration
• Email bombing
• HTTP Request smuggling without any proven impact
• Homograph attacks
• XMLRPC enabled
• Banner grabbing/Version disclosure
• Not stripping metadata of files
• Same-site scripting
• Subdomain takeover without taking over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (pingbacks aren't sufficient)
• Disclosed/misconfigured Google Maps API keys
• Host header injection without proven business impact
• CSRF logout
• Self-exploitation (e.g., token or cookie reuse)
• Broken links to third-party social media web pages (e.g., independent BMW Dealers, Resellers or Fanclubs)
• Blind XSS that cannot be verified: Blind XSS Triggers must be fired within a week after setting them up. If they cannot be verified by the triage team, the related report will be rejected

Post-exploitation

All post-exploitation is out of scope, except the minimum to prove that the exploit is working:

• In case of an RCE or injection attack, you may issue commands stating the version of the database, the system name or the local IP address
• All post exploitation that will lead to further vulnerabilities or risk the stability or integrity of a system is out of scope

Domains from independent BMW Dealers, Resellers or Fanclubs

We would like to point out that not every asset that has BMW (or one of its brands) in its name necessarily belongs to the BMW Group. The systems in question may include retailers, importers, service providers, fan clubs, or others. However, in many of these cases, we have limited or no influence on the actual owner of these systems. In these cases, the reports will be closed by the triage team or by us with a corresponding notice. These systems are not eligible for bounty or bonus.

No Bounty Domains

While not being covered by the safe harbor clause, vulnerabilities related to domains that are not in scope of this program can be reported by choosing the respective “Other BMW Domains” asset. Please consider that these assets are not eligible for any bounty. However, they may be eligible for a bonus.

This program follows Intigriti's contextual CVSS standard

Where can I get test credentials?

We currently don’t offer any credentials to test user roles.

I believe I have found a vulnerable asset related to BMW but I am not sure if the asset actually belongs to BMW. Can I still report it?

Yes! If you are unsure if the vulnerable asset you found belongs to BMW and you believe that it is not owned by an independent retailer, importer, service provider, fan club, etc. please use the "Other BMW Domains" asset to report this vulnerability. Note that these assets are not eligible for bounty but we may award a bonus for high, critical and exceptional severity findings.