Policies

By participating in this program, you agree to:

• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Respect the scope of the program
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

General Rules

• Research must be done using your own BMW products. You should not modify products owned by other BMW customers.
• BMW is not responsible if you damage your product in any way during your research.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• We will not reimburse you for any costs related to proof of concepts (or else) created by the researcher.

Response Targets

BMW Automotive Team will make a best effort to meet the following SLAs for hackers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

Check our fix
We offer up to €50 bonus to verify a resolved issue for us (when requested).
This remains at the discretion of BMW to award.

The BMW Group values the work of security researchers in improving the security of our products and services and encourages the community to participate in its bug bounty program. We are committed to working with you to verify, reproduce, and respond to legitimate reported vulnerabilities covered by this policy. Within this program bounties can be received by reporting vulnerabilities that are in the scope of program.

Critical and exceptional findings can earn you a place on our BMW Security Hall of Fame.

Targets

The BMW Automotive Program aims at our automotive products, this includes besides BMW Group vehicles also our automotive related smartphone apps.

General

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Previously known vulnerable libraries without a working Proof of Concept.
• Denial of Service by flooding the ECU with bus messages or other inputs.
• Software version disclosure / Banner identification issues.
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Duplicates

Vulnerabilities that were already known to the BMW Group through our own testing will be flagged as duplicate.
Vulnerabilities that were already reported to the BMW Group will be flagged as duplicate.

During our transitional phase:

For vulnerabilities that have already been reported via our old program at HackerOne but have not yet been resolved, no new bounties will be paid out. These cases are examined individually by the triage team and us and, if applicable, will be closed with a corresponding notice.
This problem will only exist during a transitional period.

Assets

• The eligibility of BMW Group aftermarket products is decided on a case-by-case basis

This program follows Intigriti's triage standards

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.