The BMW Group is the world's leading provider of premium cars and motorcycles and the home of the BMW, MINI, Rolls-Royce and BMW Motorrad brands. Our vehicles and products are tailored to the needs of our customers and constantly enhanced. We place special emphasis on the security, integrity and availability of our data and systems and thus also on those of our customers, employees and partners.

0.1 - 3.9
4.0 - 6.9
7.0 - 8.9
9.0 - 9.4
9.5 - 10.0
Tier 1
Tier 1
€250 - €6,000
Tier 2
Tier 2
€150 - €3,000
Rules of engagement
Not applicable
max. 2 requests/sec
X-Intigriti-Username: {Username}


By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Do not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

General Rules

  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
  • Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report
  • We will not reimburse you for any costs related to proof of concepts (or else) created by the researcher
  • We will not provide any test accounts

Dos and Don'ts


  • Always submit proof (e.g., a PoC) regarding the exploitability of your finding
  • Provide a detailed report with reproducible steps, including the full http requests leading to the exploit
  • Only submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation
  • Set the request headers according to Intigriti’s guidelines
  • Adhere to the rate limitations according to Intigriti’s guidelines


  • Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without the explicit consent of the BMW Group
  • Do not perform any testing that causes degradation to BMW's services e.g., denial of service, or heavy automated scanning
  • Do not access or make changes to customer accounts
  • Do not perform social engineering attacks, including phishing
  • Do not spam
  • Do not perform any physical attacks
  • Any lateral movement and post-exploitation past the initial exploitation is forbidden

Validation times

Are currently undergoing re-evaluation.
Please note that No bounty findings may take significantly longer to validate.

Check our fix

We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of the BMW Group to award.

Tier 1
Tier 1
Tier 1
Tier 2
Tier 2
Tier 2

Other BMW Domains

No bounty

Please select this asset to report vulnerabilities affecting BMW assets but not matching any of the assets stated above.

Important: Note our policy regarding "No Bounty Domains" and a potentially deviating application of the safe harbor clause.
We may award a small bonus for these assets, but only valid high, critical and exceptional severity findings - this is however, at the discretion of the BMW Group team.

Automotive Security

Out of scope

Please submit valid findings regarding Automotive assets in our public BMW Group - Automotive program.

Domains from independent BMW Dealers, Resellers or Fanclubs

Out of scope

These domains belong to legally independent entities. We can only inform these entities. However, we have no influence on the mitigation process of the vulnerabilities in these assets.

In scope

The BMW Group values the work of security researchers in improving the security of our products and services and encourages the community to participate in its bug bounty program. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program.

Critical and exceptional findings can earn you a place on our BMW Security Hall of Fame.

For submissions, please ensure the following requirements are met:


Browsers have to be up to date (latest released stable version) on the day of submission. Vulnerabilities which require certain plugins are out of scope.
Only the following browsers are in scope:

  • Chrome
  • Firefox
  • Safari
  • Edge


Only the targets listed above are in scope.


Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

Out of scope


  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that only work on software that no longer receive security updates
  • Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
  • Reports that state that software is out of date/vulnerable without a proof-of-concept


Vulnerabilities that were already known to the BMW Group through our own testing will be flagged as duplicate.
Vulnerabilities that were already reported to the BMW Group will be flagged as duplicate.

During our transitional phase:
For vulnerabilities that have already been reported via our old program at HackerOne but have not yet been resolved, no new bounties will be paid out. These cases are examined individually by the triage team and us and, if applicable, will be closed with a corresponding notice.
This problem will only exist during a transitional period.


  • Everything not explicitly listed as in scope
  • All subdomains of the domains in scope
  • Pages redirecting to non-BMW domains


  • Wordpress usernames disclosure
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that can't be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking without proven impact/unrealistic user interaction
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Tokens leaked to third parties
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection without being able to modify the HTML
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Not stripping metadata of files
  • Same-site scripting
  • Subdomain takeover without taking over the subdomain
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Blind SSRF without proven business impact (pingbacks aren't sufficient)
  • Disclosed/misconfigured Google Maps API keys
  • Host header injection without proven business impact
  • CSRF logout
  • Self-exploitation (e.g., token or cookie reuse)
  • Broken links to third-party social media web pages (e.g., independent BMW Dealers, Resellers or Fanclubs)
  • Blind XSS that cannot be verified: Blind XSS Triggers must be fired within a week after setting them up. If they cannot be verified by the triage team, the related report will be rejected


All post-exploitation is out of scope, except the minimum to prove that the exploit is working:

  • In case of an RCE or injection attack, you may issue commands stating the version of the database, the system name or the local IP address
  • All post exploitation that will lead to further vulnerabilities or risk the stability or integrity of a system is out of scope

Domains from independent BMW Dealers, Resellers or Fanclubs

We would like to point out that not every asset that has BMW (or one of its brands) in its name necessarily belongs to the BMW Group. The systems in question may include retailers, importers, service providers, fan clubs, or others. However, in many of these cases, we have limited or no influence on the actual owner of these systems. In these cases, the reports will be closed by the triage team or by us with a corresponding notice. These systems are not eligible for bounty or bonus.

No Bounty Domains

While not being covered by the safe harbor clause, vulnerabilities related to domains that are not in scope of this program can be reported by choosing the respective “Other BMW Domains” asset. Please consider that these assets are not eligible for any bounty. However, they may be eligible for a bonus.

Severity assessment

This program follows Intigriti's contextual CVSS standard


Where can I get test credentials?

We currently don’t offer any credentials to test user roles.

I believe I have found a vulnerable asset related to BMW but I am not sure if the asset actually belongs to BMW. Can I still report it?

Yes! If you are unsure if the vulnerable asset you found belongs to BMW and you believe that it is not owned by an independent retailer, importer, service provider, fan club, etc. please use the "Other BMW Domains" asset to report this vulnerability. Note that these assets are not eligible for bounty but we may award a bonus for high, critical and exceptional severity findings.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

last contributors
Overall stats
submissions received
average payout
accepted submissions
total payouts
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 3 weeks
avg. time to triage
< 2 days
created a submission
created a submission
created a submission
created a submission
created a submission
created a submission
created a submission
created a submission
created a submission
created a submission