Car Hacking and Vulnerability Reporting in 2026

Car Hacking
Written By Tim

Introduction

Now that we’re fresh into the start of 2026, I thought it would be interesting to take a look back at the state of automotive cybersecurity. To do this, I wanted to answer the question of:

What is the state of automotive vulnerability reporting in 2026?

No sales pitches, no marketing, not trying to get you to subscribe to any services. Just an honest look at the current “state of the industry”, so to speak.

Evaluation Criteria

The question I started with (“What is the state of automotive vulnerability reporting in 2026?”) is somewhat generic. To make these results more useful, I decided to break this question down into multiple smaller evaluation criteria:

  • 1 - Does the OEM run a vulnerability disclosure program? (VDP)

  • 2 - Does the OEM run a vulnerability rewards program (VRP), aka a bug bounty program?

    • This is the kind of disclosure program that pays out bounties for reporting vulnerabilities, to encourage and reward research and participation

  • 3 - If an OEM operates a VDP or VRP, does the program include their hardware or vehicle platforms as in-scope?

  • 4 - Does the OEM have a publicly-accessible page that discusses the cybersecurity of their devices?

  • 5 - Does the OEM have a publicly-accessible email address that makes it easy to contact or reach out to their cybersecurity team?

  • 6 - Does the OEM have any reported CVEs, or publicly-published vulnerabilities?

A Quick Note on CVEs and Reputation

I wanted to add a quick side note on CVEs/public vulnerabilities:

In general, I consider a high number of reported CVEs to be an extremely positive thing.

I believe that all reasonably complex software has vulnerabilities - a strong disclosure program and large number of CVEs show a commitment to quality and identifying and fixing issues. A high number of CVEs is not an indicator of bad or low quality software.

If anything, having zero CVEs is the most concerning metric, as it likely means either no one has tested the software, or no one has published their findings…

My reason for mentioning this is so that you have additional context as to how to read into the metrics.

A high number of CVEs != bad. Zero CVEs and no VDP == bad.

International Vulnerability Databases

Oops, one more thing - a secondary note on alternative vulnerability databases:

I think cybersecurity transcends borders. I don’t want this article to come off as inherently US-centric, and unfortunately MITRE and the CVE database are inherently US-focused and federally-funded. As such, where possible I’ve also included vulnerabilities from the European Union Vulnerability Databse (EUVD) and China National Vulnerability Database (CNNVD). Hopefully this is helpful and adds some additional context to the dataset!

Who is being evaluated?

The next obvious question is: Who is being evaluated? For this post, I decided to focus in on the OEM companies themselves. Ford, Honda, Tesla, those kinds of companies.

Now, automotive does have a slightly unique attack surface and remediation issue: While someone may think they’re hacking on a “BMW”, they may actually be targeting the infotainment system that was built for BMW by Harman Becker (just as an example). Many of the modules that comprise the attack surface of a car are made by third-party suppliers under contract with the OEMs, rather than being built by the OEM themselves.

This structure makes traditional bug bounty programs somewhat difficult - should a finding in a BMW-labeled Harman-built head unit be a BMW CVE? Or a Harman CVE?

Personally, I think that if someone encounters a vulnerability in their vehicle, their fist thought would be to report it to the OEM themselves - not to try to figure out who the supplier is. I think the OEM’s vulnerability disclosure program should exist as the first line of reporting/defense, where vulnerability reports can be relayed down to suppliers as needed.

So, based on this criteria, I put together a list of OEM companies to evaluate. These companies are based in the United States, Europe, India, Vietnam, Japan, and China. The list is comprised of 40 total OEMs, and many companies on the list offer vehicles under multiple makes/marques. For the full list of all OEMs that were assessed, please see the appendix!

The Results

Due to the size of the table (40 total rows) I had to split it into two screenshots so it wouldn’t break the blog’s formatting, sorry!

Fancy Pie Charts

Using these results, we can put together some basic pie charts to help visualize the data (this was just done in Google Sheets, apologies for the amateur quality).

Pie chart results showing the percentage of OEMs that have a public VDP or VRP program.

Our first results were already pretty interesting - bug bounties aside, only ~59% of OEMs had any semblance of a Vulnerability Disclosure Program (VDP). This means that for 41% of OEMs, if you find a vulnerability, you won’t have anyone to report it to!

On the topic of financial incentives, the statistics for Vulnerability Reward Programs (VRPs) show an unfortunate lack of adoption in the automotive industry. And an even crazier fact? Only 3 OEMs outside of China had Vulnerability Reward Programs - BMW, Tesla, and Rivian. Chinese OEMs far outpaced the rest of the world, with 6 different Chinese OEMs running VDPs!

(Technically, two other companies kind of had VRPs - Ferrari offers private factory tours if you find critical issues, which is somewhat outside of the realm of a normal VRP and is only reserved for the most severe issues. Volkswagen operates a VRP for their website/mobile apps that specifically excludes their vehicle platforms, which is a major bummer. That’s what landed both of them in the “Kinda” segment.)

Pie chart results showing the publication of cybersecurity resources and availability of a public contact email.

These two questions were intended to survey the public communications around each of the OEM’s cybersecurity efforts.

“Does the OEM have Public Cybersecurity Resources” - The results here were surprising, with close to 50% of the OEMs having some sort of public website, publication, or talk available that discussed their cybersecurity strategy. Some OEMs also had cybersecurity tips for owners, or other security-related materials.

Note: The large chunk of “N/A” results represented many of the Chinese OEMs. I didn’t want to take away points if I was unable to find cybersecurity publications for Chinese companies, because I’m not fluent in Chinese. It’s possible a negative result would be due to my lack of Chinese langauge research skills, not due to any fault of the company.

“Does the OEM have a cybersecurity contact email address?” - This question was intended to address the accessibility of OEM security teams. In general, you want to have as few barriers as possible in between a security researcher and the ability to report a finding. If someone finds out how to get root on an OEM’s vehicle but doesn’t report it because of how difficult the OEM has made the reporting process, that’s a failure on the OEM (IMO). Unfortunately, only 38.5% of the OEMs I looked into had a public contact email address listed for their cybersecurity team or vulnerability reporting program.

The final pie chart result: How many of the OEMs had published vulnerabilities?

The final question was quite possibly the most controversial, from the standpoint of interpreting results. How many of the OEMs had published vulnerabilities? In this case, 56.4% of the OEMs had no listed vulnerabilities - highly suspicious!

This brings about a few questions:

  • Have these OEMs performed penetration testing and security audits, but never had any security issues with their platforms?

  • Have these OEMs never had security research performed against production versions of their vehicle platforms?

  • Have these OEMs dealt with security issues, but never published a public advisory for them?

No matter what the answer is, I am personally skepitcal of any company that has never had a security advisory or vulnerability published.

I’ll reiterate what I said in the beginning of the blog post: to me, more CVEs/reported vulnerabilities is better, because it means the software is being given attention, assessed, and reported on in a public way to protect customers/users.

Zero CVEs is not an indication of secure software - it is indicative of a lack of attention, or a lack of reporting (in my opinion).

Anyways, enough ranting about CVEs. On to the long-form data!

Long Form Data

The below section contains the results of the research I performed on each OEM. I’ve added notes and clarifying bullet points wherever possible.

If you believe I’ve missed any key pieces of information, please feel free to reach out! I would be happy to update the post.

For each of the listed OEMs, I performed my research in English using a combination of Google and DuckDuckGo. Where possible, I also sought out information in the country of origin’s language (for example, for Chinese OEMs I tried searching for 漏洞披露计划). I focused specifically on official websites and pages created by the OEM organization themselves, rather than headlines or information reported by third-party websites.

General Motors

  • VRP / VDP

    • General Motors operates a Vulnerability Disclosure Program on HackerOne, which was launched in January 2016

      • Vehicle Targets: They accept reports for “all owned assets based on impact, even if not listed in scope”

      • This is strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • The most recent public report was resolved 8 months ago.

      • HackerOne claimed that in the first two years of GM’s VDP, GM identified and resolved more than 700 bugs

  • Public Cybersecurity Resources

    • GM has a Cybersecurity page on their website which outlines security tips and best practices, and even links to their vulnerability disclosure program.

      • On this page, they also offer an email address for easy contact with their security team.

  • Published Vulnerabilities

    • 5 total CVEs have been attributed to GM

      • 3 were reported in 2017, and relate to their Shanghai OnStar SOS iOS Client

      • 2 were reported in 2023 and relate to the Chevrolet Equinox infotainment software

Stellantis (North America + Europe)

  • VDP / VRP

    • Stellantis used to have a bug bounty program/VRP operated through Bugcrowd, which was launched in July 2016

      • The program was paused in 2025-05-30, and it seems the program was then officially closed/canceled on 2025-12-10

      • They rewarded 616 total vulnerabilities

      • They offered rewards in four tiers:

        • P1: $1500-$7500

        • P2: $800-$1500

        • P3: $450-$800

        • P4: $150-$400

      • I can’t find any announcements or social media posts discussing why they’ve discontinued their Bugcrowd program

      • I sent an email over to Bugcrowd to see if Stellantis had any plans of re-opening their Bugcrowd program, or if they had offered any method to report vulnerabilities as an alternative.

        • Bugcrowd responded with: “We have not received any notes internally as to when the engagement will be re-opening. Once the engagement will re-open the program owners/CEM team will post an announcement on their engagement brief.” They also added that they searched around for a page where you may still be able to report vulnerabilities, and recommended this Stellantis Bug Report website.

        • Soooo, I guess this means Stellantis has no VRP right now, with no (public) plans to re-open it.

  • Public Cybersecurity Resources

    • I couldn’t find any Stellantis cybersecurity websites - all resources I found seemed to discuss their Bugcrowd program, which is now defunct.

      • I found a generic marketing blurb website about how security is important

        • https://www.stellantis.com/en/sustainability/engaging-our-stakeholders/customers/innovating-to-deliver-safe-and-reliable-products

      • I found a website with security tips run by Stellantis Financial Services

        • https://www.stellantis-fs.com/Legal/Security

  • Published Vulnerabilities

    • Stellantis has one CVE attributed to them.

      • Technically, “Stellantis” as an entity has zero CVEs attributed to them

      • 1 CVE has been attributed to FCA (the prior name of Stellantis), reported in 2015

Ford Motor Company

  • VDP / VRP

    • Ford operates a vulnerability disclosure program through HackerOne, launched in January 2019

      • They’ve resolved 3696 total reports as of writing, with 240 of those occurring in the last 90 days.

      • This is strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • Vehicle Targets: Ford specifically marks vehicle targets as in-scope for their VDP! :)

    • Prior to their HackerOne program, Ford previously operated a Coordinated Disclosure Program through Bugcrowd, launched in August 2017

      • Through this program, they resolved 6,468 total vulnerabilities

      • This program was shut down in January 2019, coinciding with their move to HackerOne

      • This was also strictly a disclsoure program, not a bounty program.

  • Public Cybersecurity Resources

    • Ford has previously published public customer guidance when vulnerabilities were discovered in their vehicles

      • Example: This disclosure was published by Ford back in August of 2023, when a Microsoft security researcher discovered a buffer overflow -> RCE vuln in a Texas Instruments WiFi driver (which it seems was used in Ford’s SYNC 3 system).

        • IMO, this is a great disclosure - it provides a summary of the issue, link to the actual vulnerability report, info on what Ford is going to do about it, and tips on how customers can protect themselves in the meantime. On top of that, it was updated with additional information once the patch was released! A+ rating.

    • Ford has a public page titled “What is Ford doing to protect my vehicle from data security threats?”, where they outline some of the cybersecurity activities they partake in (at a higher/layman level) and how they protect customers.

  • Published Vulnerabilities

Tesla

  • VDP / VRP

    • Tesla operates a bug bounty program/VRP through Bugcrowd, launched in August 2015

      • They’ve resolved/rewarded 888 total vulnerabilities through the program

      • Vehicle Targets: Tesla has marked vehicle targets as specifically in-scope for their VRP! :)

      • They offer financial bounties for the reporting of security vulnerabilities

        • For non-vehicle vulnerabilities:

          • P1: $3,000-$10,000

          • P2: $500-$4,000

          • P3: $200-$700

          • P4: $100-$200

        • For vehicle target vulnerabilities:

          • P1: $50,000-$100,000

          • P2: $20,000-$50,000

          • P3: $10,000-$20,000

          • P4: $500-$10,000

          • P5: $0-$500

      • Tesla also offers a “root access program”, which is quite novel/cool. Essentially, if a researcher reports a novel way to get root, Tesla may provision them an official SSH certificate + SSH access to their device, allowing them to continue their research using root.

    • Tesla is a common participant in ZDI’s yearly Pwn2Own Automotive events

      • I’m not entirely clear on how Pwn2Own works in this instance - does Tesla volunteer to be a target, or are they simply made an incentivized target by ZDI due to their popularity? If it’s the second case, Tesla’s “participation” may have nothing to do with Tesla themselves, lol.

  • Public Cybersecurity Resources

    • Tesla has a public Product Security page where they outline their vulnerability disclosure process

      • On this page, they also offer an email address for easy contact with their security team.

    • Tesla also allows researchers to register as official security researchers with the company, and to register specific Tesla vehicles as security research platforms.

  • Published Vulnerabilities

    • 25 CVEs have been attributed to Tesla

      • 4 were reported in 2025

      • 5 were reported in 2024

      • 3 were reported in 2023

      • 5 were reported in 2022

      • 6 were reported in 2020

      • 1 was reported in 2019

      • 1 was reported in 2016

    • It seems that Tesla is one of the most proactive OEMs in terms of publicly disclosing their vulnerabilities.

Rivian Automotive, Inc.

  • VDP / VRP

    • Rivian operates a bug bounty program/VRP through Intigriti

      • I believe it was launched sometime in early 2024, though I’m not 100% confident.

      • Vehicle Targets: Unfortunately, they specifically exclude vehicle systems from this bug bounty program!

        • The “scope” section notes: “the vehicles themselves are not part of this Bug Bounty program.”

      • There have been 77 accepted submissions through this program

      • They offer rewards in two tiers, each with five levels of criticality

        • Tier 1 - Main Rivian website API and URLs

          • Tier 1 Low: $150

          • Tier 1 Medium: $700

          • Tier 1 High: $2,000

          • Tier 1 Critical: $5,000

          • Tier 1 Exceptional: $5,000

        • Tier 2 - Rivian apps and other URLs

          • Tier 2 Low: $100

          • Tier 2 Medium: $350

          • Tier 2 High: $1,500

          • Tier 2 Critical: $3,500

          • Tier 2 Exceptional: $3,500

      • They have awarded $52,225 in total payouts at the time of writing.

  • Public Cybersecurity Resources

    • Rivian has a public Cybersecurity Vulnerabilities page that outlines their preferred vulnerability disclosure process.

      • On this page, they also offer an email address for easy contact with their security team.

    • Rivian has previously published a blog post on their efforts in cybersecurity and hackathon events.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Rivian

Lucid Motors

  • VDP / VRP

    • Lucid operates a vulnerability disclosure program through Bugcrowd, launched in April 2022

      • This appears to be strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • This program was notably recently paused for five months without activity

        • A funny coincidence, the program resumed activity one day before writing (2026-01-20)

      • Vehicle Targets: Unfortunately, this program does not seem to include testing of Lucid’s vehicle platforms. :(

        • The only asset listed as “in-scope” is the main Lucid website.

      • As of writing, 197 vulnerabilities have been accepted through the program.

  • Public Cybersecurity Resources

    • Lucid has a page explaining the company’s Vulnerability Disclosure Program, but unfortunately this section is buried at the bottom of their overall “Legal” resource page.

      • This VDP page also reiterates the same scope as their Bugcrowd program, essentially marking all vehicle or hardware-specfic vulnerabilities as out-of-scope.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Lucid Motors

Jaguar Land Rover

  • VDP / VRP

    • Jaguar Land Rover does not appear to operate a public Vulnerability Disclosure Program or Vulnerability Reward Program in any capacity

      • I even found a LinkedIn post from over a year ago, posted by a security researcher who had discovered multiple vulnerabilities in JLR’s webite and was unable to find a contact at the company to report them to.

  • Public Cybersecurity Resources

    • Unfortunately, the only public cybersecurity resource I could find was Jaguar Land Rover’s “Statement on Cyber Incident”, from their 2025 cybersecurity breach.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Jaguar Land Rover

BMW (BMW, Mini, Rolls-Royce)

  • VDP / VRP

    • BMW operates two bug bounty programs/VRP through Intigriti, launched in 2024

      • The BMW Group Public Program focuses on the security of BMW websites and endpoints

        • As of writing, 1,757 submissions have been accepted through this program.

      • The BMW Group Automotive Program focuses on the security of BMW vehicles and automotive products

        • As of writing, 8 submissions have been accepted through this program.

        • Vehicle Targets: Vehicle targets are listed as in-scope for this VRP! :)

        • Vulnerabilities dealing with immobilizer and vehicle access are marked as the highest priority targets.

    • Both programs offer two tiers of rewards, with 5 levels of criticality

    • BMW Group Public Program Rewards

      • Tier 1 Low: €250

      • Tier 1 Medium: €500

      • Tier 1 High: €1,500

      • Tier 1 Critical: €3,500

      • Tier 1 Exceptional: €6,000

      • Tier 2 Low: €150

      • Tier 2 Medium: €300

      • Tier 2 High: €1,000

      • Tier 2 Critical: €2,000

      • Tier 2 Exceptional: €3,000

    • BMW Group Automotive Program Rewards

      • Tier 1 Low: €500

      • Tier 1 Medium: €2,000

      • Tier 1 High: €5,000

      • Tier 1 Critical: €10,000

      • Tier 1 Exceptional: €15,000

      • Tier 2 Low: €100

      • Tier 2 Medium: €500

      • Tier 2 High: €1,000

      • Tier 2 Critical: €2,000

      • Tier 2 Exceptional: €5,000

  • Public Cybersecurity Resources

    • BMW has a public Security page which details how to report vulnerabilities in BMW products and services

      • On this page, they also publicly recognize the researchers who reported vulnerabilities in their products.

  • Published Vulnerabilities

Mercedes-Benz Group

  • VDP / VRP

    • Mercedes runs a Vulnerability Disclosure Program through Bugcrowd, launched in May 2025

      • This appears to be strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • The Bugcrowd page itself is relatively light on details, as it seems the main information about the VDP is present on Mercedes’ own website

        • Mercedes has been running their own private VDP since at least 2022

      • Vehicle Targets: Vehicle targets are specifically called out as in-scope within Mercedes’ VDP! :)

  • Public Cybersecurity Resources

    • Mercedes has a Vulnerability Disclosure Program webpage that outlines the details of their VDP and links to their main Bugcrowd page.

    • Mercedes has published a formal RFC2350 document outlining their Cyber Intelligence and Response Center (CIRC) details

      • Within this document, they also offer an email address for easy contact with their CIRC team.

  • Published Vulnerabilities

Volkswagen Group (Audi, Bentley, Lamborghini, Porsche, Volkswagen)

Renault

Ferrari

  • VDP / VRP

    • Ferrari offers a private vulnerability disclosure program on their website

      • Vehicle Platforms: Ferrari specifically states that “Any Ferrari product” is considered in-scope - this likely means their vehicle platforms are considered in-scope for Ferrari’s VDP! :)

      • This program also has some extremely cool rewards for specially-chosen disclosures: Either a guided Ferrari factory tour (travel expenses to Maranello excluded), or a Ferrari small gift (shipping costs included). Pretty cool!

  • Public Cybersecurity Resources

    • The Ferrari VDP website offers an email address for easy contact with their security team

    • Ferrari does not appear to have any other public cybersecurity resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Ferrari

Volvo Cars (Volvo, Polestar)

Honda Motor Company (Honda, Acura)

  • VDP / VRP

    • I was unable to find any mention of a Honda Motor Company vulnerability disclosure program online

  • Public Cybersecurity Resources

    • I was unable to find any public cybersecurity resources published by Honda

    • I was unable to find a public contact email address for Honda’s cybersecurity team.

  • Published Vulnerabilities

Toyota (Toyota, Lexus)

Mazda

  • VDP / VRP

    • I was unable to find any Mazda-affiliated vulnerability disclosure program

  • Public Cybersecurity Resources

    • Mazda hosts a risk management page that outlines some of the company’s automotive security practices.

    • I was unable to find a public contact email address for Mazda’s cybersecurity team

  • Published Vulnerabilities

Mitsubishi

  • VDP / VRP

    • I was unable to find any Mitsubishi-affiliated vulnerability disclosure program

      • Other branches of Mitsubishi’s conglomerate (such as Mitsubishi Heavy Industries) had their own vulnerabilitiy reporting pages, but Mitsubishi Motors did not appear to have one.

  • Public Cybersecurity Resources

    • Mitsubishi’s 2025 Sustainability Report mentions some of the company’s automotive-focused product cybersecurity practices.

    • I was unable to find a public contact email address for Mitsubishi’s cybersecurity team

  • Published Vulnerabilities

Nissan (Nissan, Infiniti)

Subaru

  • VDP / VRP

    • I was unable to find a currently-running vulnerability disclosure program for Subaru

    • BUT: Just a few days before writing (January 19th 2026, it seems), Subaru publicly partnered with the Japanese bug bounty website IssueHunt to begin preparing a Subaru VDP! This is a great step in the right direction for Subaru :D

      • It seems like a big issue for Subaru was that existing bug bounty platforms do not have sufficient Japanese langauge support. This could be a big reason that few Japanese OEMs have opted for platforms like HackerOne or BugCrowd.

      • A second exciting note: In Subaru’s interview with IssueHunt, they specifically note being interested in the fact that IssueHunt supports bug bounty programs (in addition to normal VDP features). Woot!

  • Public Cybersecurity Resources

    • Subaru publishes a Cybersecurity Risk Management page which provies an in-depth overview of the company’s cybersecurity policy.

    • I was unable to find a public contact email address for Subaru’s cybersecurity team

  • Published Vulnerabilities

Hyundai Motor Group (Genesis, Hyundai, Kia)

  • VDP / VRP

    • Hyundai Motor America and Genesis Motor America operate a vulnerability disclosure program through HackerOne

      • This is strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • Vehicle Platforms: While not explicitly stated, the scope of Hyundai Motor America’s VDP does not seem to immediately disquality vehicle platform testing.

    • Hyundai Motor Europe GmbH offers a private vulnerability disclosure program directly on their website.

      • This is strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • Vehicle Platforms: While not explicitly stated, the scope of Hyundai Motor Europe’s VDP does not seem to immediately disquality vehicle platform testing.

    • Kia America offers a private vulnerability disclosure program directly on their website

      • This is strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • Vehicle Platforms: The scope of Kia America’s VDP explicitly includes “Kia Vehicle Vulnerabilities”! :)

    • Kia Europe GmbH offers a private vulnerability disclosure program direclty on their website

      • This is strictly a disclosure program, not a bounty program - no financial rewards are provided.

      • Vehicle Platforms: While not explicitly stated, the scope of Kia Europe GmbH’s VDP does not seem to immediately disquality vehicle platform testing.

  • Public Cybersecurity Resources

  • Published Vulnerabilities

VinFast

  • VDP / VRP

    • I was unable to find any VinFast-affiliated vulnerability disclosure program

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to VinFast

Mahindra

  • VDP / VRP

    • I was unable to find any Mahindra-affiliated vulnerability disclosure program

  • Public Cybersecurity Resources

    • I was unable to find any public cybersecurity resources published by Mahindra

    • I was unable to find a public contact email address for Mahindra’s cybersecurity team.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Mahindra

BYD (BYD, Denza, Fangchengbao, Yangwang, RIDE)

  • VDP / VRP

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 4 CVEs have been attributed to BYD

      • I’m unsure why, but it seems like BYD isn’t registered as a Vendor on MITRE’s NVD. Because of that, neither of the listed CVEs actually connect back to a central “BYD” vendor. Probably something that should be fixed

    • TODO: I think there are more than 2, continue research (they’re spread across multiple vuln databases)

Geely Automobile Holdings (Geely, Lynk & Co, Zeekr, Lotus Cars, Volvo, Polestar)

  • VDP / VRP

    • Geely offers a private vulnerability reward program through their website, launched in June 2023

      • A Geely account is required to submit a vulnerability report

      • It seems that researchers will be able to redeem “security coins” for various rewards through their website

      • This program is likely still under development, as there is only one item available for redemption named “test”

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Geely

Chery (Chery, Exeed, Luxeed, Jetour, iCar, Karry, Omoda, Jaecoo, Lepas, Exlantix, Aiqar)

  • VDP / VRP

    • Chery offers a private vulnerability disclosure program on their website

      • A mobile phone number is required to submit reports to Chery’s VDP

      • Vehicle Platforms: I was unable to find a specific scope for Chery’s VDP - because of this, their vehicle platforms are likely in-scope for vulnerability reports.

  • Public Cybersecurity Resources

    • I was unable to find a public email address for Chery’s security team.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Chery

Dongfeng (Dongfeng, Dongfeng Honda, Dongfeng Nissan, Dongfeng Peugeot-Citroen)

  • VDP / VRP

    • Dongfeng Nissan offers a private vulnerability disclosure program on their website

      • A mobile phone number is required to submit reports to Dongfeng Nissan’s VDP

      • Vehicle Platforms: I was unable to find a specific scope for Dongfeng Nissan’s VDP - because of this, their vehicle platforms are likely in-scope for vulnerability reports.

    • Dongfeng Honda offers a private vulnerability disclosure program on their website

      • Rather than a web form, all vulnerability reports are submitted by email

      • Vehicle Platforms: I was unable to find a specific scope for Dongfeng Honda’s VDP - because of this, their vehicle platforms are likely in-scope for vulnerability reports.

  • Public Cybersecurity Resources

    • Dongfeng Honda’s VDP page provides an email address to easily contact the Dongfeng Honda security team.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Dongfeng

SAIC (IM Motors, Maxus, MG, Roewe, Baojun, Wuling, Hongyan, Sunwin)

  • VDP / VRP

    • I was unable to find a VDP / VRP program for SAIC

  • Public Cybersecurity Resources

    • I was unable to find any public cybersecurity resources for SAIC

  • Published Vulnerabilities

    • 0 CVEs have been attributed to SAIC

Changan (Changan Auto, Changan Nevo, Deepal, Avatr, Kaicene)

  • VDP / VRP

    • I was unable to find a VDP / VRP program for Changan

  • Public Cybersecurity Resources

    • I was unable to find any public cybersecurity resources for Changan

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Changan

Great Wall Motor (GWM, Haval, Wey, Tank, Poer, Ora, Spotlight Automotive)

  • VDP / VRP

    • I was unable to find a VDP / VRP program for Great Wall Motor

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Great Wall Motor

FAW Group (Hongqi, Bestune)

  • VDP / VRP

    • I was unable to find a VDP / VRP program for FAW Group

  • Public Cybersecurity Resources

    • I was unable to find a public email address for FAW Group’s security team.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to FAW Group

Leapmotor (Leapmotor)

  • VDP / VRP

    • I was unable to find a VDP / VRP program for Leapmotor.

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Leapmotor

XPeng (XPeng)

  • VDP / VRP

    • XPeng offers a private vulnerability reward program through their website, launched in 2022

      • Vehicle Platforms: XPeng specifically includes vehicle vulnerabilities (整车漏洞) as in-scope for their VRP! :)

      • XPeng offers bounty rewards in accordance with four levels of risk

        • Low Risk (低危风险) Vehicle Vulnerability: 200 yuan

        • Medium Risk (中危风险) Vehicle Vulnerability: 1000 yuan

        • High Risk (高危风险) Vehicle Vulnerability: 2500-15000 yuan

        • Serious Risk (严重风险) Vehicle Vulnerability: 5000-50000 yuan

      • At current exchange rates, 50,000 yuan = ~$7,170 USD

      • Submissions to XPeng’s VRP require either a mobile phone number or WeChat account for sign-in

  • Public Cybersecurity Resources

    • XPeng has an entire website dedicated to the security of their vehicles, called “XPSRC”

      • I believe XPSRC is “XPeng Security Response Center”

      • This website has guidance on their bug bounty program and a form for submission of vulnerability reports

      • This page also offers an email address for easy contact with XPeng’s security team.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to XPeng

Xiaomi Auto

  • VDP / VRP

    • Xiaomi operates a private vulnerability reward program through their website, called “MiSRC”

      • Vehicle Platforms: The scope of this VRP specifically includes “car terminals”

      • Xiaomi offers bounty rewards in accordance with four levels of risk:"

        • Low Risk: 0-200 yuan

        • Medium Risk: 50-1000 yuan

        • High Risk: 200-3000 yuan

        • Severe Risk: 3000-10000 yuan

      • At current exchange rates, 10,000 yuan = ~$1,434 USD

      • A Xiaomi account is required to submit vulnerabilities to MiSRC

      • In addition to monetary bounties, Xiaomi has a “mall” of products that can be redeemed by researchers based on the number of their accepted vulnerability reports

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Xiaomi Auto

Li Auto (Lixiang)

  • VDP / VRP

    • Lixiang offers a private vulnerability reward program through their website, launched in 2020

      • Vehicle Platforms: Lixiang’s VDP website has a specific category for infotainment-related vulnerabilities! :)

        • This doesn’t exactly cover the whole vehicle, but is a step in the right direction for vehicle-focused vulnerabilities

      • Lixiang offers bounty rewards in accordance with four levels of risk:

        • Low-level vulnerabilities: 50-1000 yuan

        • Medium-level vulnerabilities: 100-5000 yuan

        • High-level vulnerabilities: 500-20,000 yuan

        • Critical-level vulnerabilities: 2,000-100,000 yuan

      • At current exchange rates, 100,000 yuan = ~$14,361 USD

  • Public Cybersecurity Resources

    • The VDP website offers an email address for easy contact with Lixiang’s security team

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Li Auto

NIO

  • VDP / VRP

    • NIO offers a private vulnerability reward program through the BugBank website, launched in 2022

      • This program appears to offer a “mall” style reward program where tokens earned from reporting bugs can be used to redeem physical items or gift cards to popular e-commerce retailers.

      • Bugbank’s web filter banned me from their site for refreshing the page too many times I think D: see the appendix for more info.

        • Unfortunately, because of this I don’t have any more info on their program.

  • Public Cybersecurity Resources

    • I was unable to find any public cybersecurity resources published by NIO.

    • I was unable to find a public email address for contact with NIO’s security team.

  • Published Vulnerabilities

GAC Group

BAIC Group

  • VDP / VRP

    • I was unable to find a VDP / VRP program for BAIC Group or BAIC Motor.

  • Public Cybersecurity Resources

    • I was unable to find published cybersecurity resources for BAIC Group or BAIC Motor.

    • I was unable to find a published email address for BAIC Group or BAIC Motor’s security team.

  • Published Vulnerabilities

    • 0 CVEs have been attributed to BAIC Group

Seres Group

  • VDP / VRP

    • Seres has a private vulnerability reward program available through their SRC website

      • Seres offers bounty rewards in accordance with four levels of risk:

        • Low Risk: 0-1000 yuan

        • Medium Risk: 100-10000 yuan

        • High Risk: 800-50000 yuan

        • Severe Risk: 2000-100000 yuan

      • At current exchange rates, 100,000 yuan = ~$14,361 USD

      • A mobile phone number is required to submit vulnerability reports

        • It lets you select a non-Chinese country code, but appears to still require a Chinese area code.

  • Public Cybersecurity Resources

  • Published Vulnerabilities

    • 0 CVEs have been attributed to Seres Group

Hozon Auto (NETA Auto)

A side note for Hozon Auto, it appears the company is currently going through a $700m USD bankruptcy proceeding. I’m unsure how this will affect their approach to cybersecurity… if they go out of business, will anyone be left to patch security vulnerabilities in their vehicles? While unfortunate, I think it could be an interesting situation to keep an eye on.

Appendix

The appendix holds all supplementary information or references that didn’t have a home in the main portion of the article.

Yellow color used for headings and highlights: #ffd300

Automotive Suppliers

In addition to the OEM vulnerability disclosure programs, many automotive supplier companies also run their own VDP/VRPs.

I’m hoping to cover these in a future blog post, as there will be quite a few companies to research. Unfortunately, you could walk infintely down the list of suppliers (Tier 1s -> Tier 2s -> Tier 3s, etc.), so I’ll have to come up with a place to cut the list off. I’ll probably try to foucs on companies that have a history of building infotainment/IVI systems, or something similar. This is a to-do item for me!

If you know of any supplier VDPs, please feel free to reach out!

VDP Searches

To locate each OEM’s Vulnerability Disclosure Program, I used the following search terms:

  • English

    • Vulnerability Disclosure Program (VDP)

    • Vulnerability Reward Program (VRP)

    • Bug Bounty Program

    • Responsible Disclosure

    • Cybersecurity Disclosure

    • Security Vulnerability

    • Cybersecurity Contact

  • Japanese

    • 脆弱性開示プログラム

  • Simplified Chinese

    • 漏洞披露计划

    • 漏洞安全响应中心

    • 汽车网络安全

    • SRC

CVE Details

For the CVE searches that I’ve included in the article, I decided to use CVEdetails to link directly to each OEM. I don’t have any affiliation with this website, I just liked the UI and it was easy to link to.

This may beg the question: Why not just link to MITRE or NIST themselves? Why use a third party? And this is a valid question - many websites that let you browse CVEs by vendors are simply aggregators of MITRE’s CVE database.

My reasoning was pretty basic: They just provide nice looking GUIs and easy search forms!

You can technically find the same data in MITRE, NIST, etc.’s database without using a third party by searching using CPE (Common Platform Enumeration) queries, but they’re kind of a pain to use in a casual setting. For example, to find all GM products, you can use “cpe:2.3:*:gm:*:*:*:*:*:*:*:*:*” - which doesn’t exactly roll off the tongue, haha.

So that’s why I used a third-party website for CVE details! Let me know if this website goes down - I’d be happy to swap it out with another one.

Non-CVE Data Sources

Another question I’ve considered is: What about Non-CVE vulnerability databases? I wanted to make sure the article wasn’t overtly US-centric, so I made sure to branch out with my sources of data.

Unfortunate AutoVulnDB Issues

One other database that I’m aware of is the ASRG’s AutoVulnDB, which is intended to be an automotive-specific database of vulnerabilities. Launched back in June of 2024, it includes vulnerabilities provided by NVD (aka, CVEs), VicOne, and the ASRG.

I tried to check this AutoVulnDB database as part of my research, but unfortunately it appeared to be broken. All requests redirected to a “Something went wrong!” error message.

Viewing the network traffic, it seems like the GET request for searching vulnerabilities was met with an API error:

Apparently, the route /vulnerabilities no longer exists in their API. I sent an email over to the ASRG to let them know the system appears to be down.

So, that’s why I didn’t include any data from AutoVulnDB - it was down :(

(Side note: Major shout out to the ASRG! If you’re into automotive cybersecurity, you should definitely check their stuff out - they’re a very down-to-earth group that hosts a lot of cool meetups and events and whatnot.)

Fun Captchas

This is totally off topic, but while looking at various vulnerability reporting pages, I noticed something cool! A few companies had their own totally-custom captchas that were essentially a mini ad for their brand.

The captcha above comes from Li Auto’s website, and is a picture of one of their cars drifting! I’ve never seen this before on a website or VDP, so I thought it was something fun/cool to include in the blog post :)

Non-Fun Captchas

While learning about the company NIO’s vulnerability disclosure program, I was getting a weird redirect issue on Firefox and ended up refreshing the page 2-3 times in a row. As a result of this, I got auto-banned by bugbank’s web filter D:

I guess it just has really aggressive detection on what they consider “abuse” traffic, probably aided by the fact that I have a foreign IP address. A bummer, I hope it times out after a while or something because I’d love to check out NIO’s SRC program :(

OEM Information Sources

The following links were used when putting together the list of OEMs that were analyzed. While using Wikipedia feels kind of disingenous compared to real research sources or techniques, that’s what makes this a blog post and not a whitepaper I guess, lol. I don’t think I’ve left any major OEMs out of this survey, but if you notice anything major missing, let me know!

  • https://en.wikipedia.org/wiki/List_of_automobile_manufacturers_of_the_United_States

  • https://cars.usnews.com/cars-trucks/advice/car-brands-available-in-america

  • https://en.wikipedia.org/wiki/List_of_automobile_manufacturers_of_China

Full List of OEMs

Below I’ve included the full list of OEMs that I researched as part of this post. I’ve separated them by rough geographical region, kinda?

American OEMs:

  • General Motors (Buick, Cadillac, Chevrolet, GMC)

  • Stellantis (Chrysler, Dodge, Jeep, Ram Trucks)

  • Ford Motor Company (Ford, Lincoln)

  • Tesla

  • Rivian Automotive, Inc.

  • Lucid Motors

European OEMs:

  • Stellantis Europe (Alfa Romeo, Citroen, Fiat, Lancia, Maserati, Opel, Peugeot, Vauxhall)

  • Jaguar Land Rover (Jaguar, Land Rover)

  • BMW (BMW, Mini, Rolls-Royce)

  • Mercedes-Benz Group

  • Volkswagen Group (Audi, Bentley, Lamborghini, Porsche, Volkswagen)

  • Volvo (Volvo, Polestar)

  • Renault

  • Ferrari

Japanese OEMs:

  • Honda Motor Company (Honda, Acura)

  • Toyota (Toyota, Lexus)

  • Mazda

  • Mitsubishi

  • Nissan (Nissan, Infiniti)

  • Subaru

Korean OEMs:

  • Hyundai Motor Group (Genesis, Hyundai, Kia)

Vietnamese OEMs:

  • VinFast

Indian OEMs:

  • Mahindra & Mahindra (Mahindra)

Chinese OEMs:

  • BYD (BYD, Denza, Fangchengbao, Yangwang, RIDE)

  • Geely Automobile Holdings (Geely, Lynk & Co, Zeekr, Lotus Cars, Volvo, Polestar)

  • Chery (Chery, Exeed, Luxeed, Jetour, iCar, Karry, Omoda, Jaecoo, Lepas, Exlantix, Aiqar)

  • Dongfeng (Dongfeng, Dongfeng Honda, Dongfeng Nissan, Dongfeng Peugeot-Citroen)

  • SAIC (IM Motors, Maxus, MG, Roewe, Baojun, Wuling, Hongyan, Sunwin)

  • Changan (Changan Auto, Changan Nevo, Deepal, Avatr, Kaicene)

  • Great Wall Motor (GWM, Haval, Wey, Tank, Poer, Ora, Spotlight Automotive)

  • FAW Group (Hongqi, Bestune)

  • Leapmotor (Leapmotor)

  • XPeng (XPeng)

  • Xiaomi Auto

  • Li Auto

  • Nio

  • GAC Group

  • BAIC Group

  • Seres Group

  • Hozon Auto

Tim
Next

Teardown: The BMW / Harman IDC23H Infotainment Unit (B423)