Cyber Security Audi Vulnerability Reporting Policy

Preserving the safety, security and quality of our products is an important issue to us. Indications from security experts are therefore of utmost importance to us. If you find a potential vulnerability in one of our products, please mail your results to vulnerability@audi.de. Please pay attention to the scope and the disqualifying and qualifying vulnerabilities.
Illustration of a vehicle amidst floating iconsIllustration of a vehicle amidst floating icons

Contact

 

  • Please use only the designated communication channel to report information concerning vulnerabilities.
  • Please send information only in German or English.
  • We strongly encourage you to encrypt all e-mail communications with the public PGP-key , to protect the confidentiality of the data.
  • Provide enough details for us to reproduce the vulnerability
  1. Tell us the date you found the vulnerability
  2. In the case of a vehicle vulnerability please send us all available information about the model, VIN (Vehicle Identification Number), the component(s), part number(s) and software version.
  3. Describe the prerequisites that need to be met to exploit the vulnerability.
  4. Describe the tested system state and if possible, provide Proof-of-Concept code.
  5. Don’t send findings from automated scanning tools only.

Usually we will answer your mail within 2-3 business days and inform you about the further procedure.
Please note that vehicles are subject to safety and legal regulations. Therefore it can be quite a long process to resolve vulnerabilities in vehicles e.g. because of necessary validation. So we kindly ask you to give us time (Responsible Disclosure).

More details

Supplementary information on handling our products

 

  • Any independent activity in context with our products is at your own risk.
  • Always comply with relevant laws.
  • If you want to examine one of our products or vehicles, only use a vehicle in your ownership or one, for that you have the permission of the owner to examine it.
  • Do not access or manipulate data if you do not own it or if you do not have the explicit permission of the owner.
  • Do not start attacks leading to denial-of-service attacks and overall avoid high network load. If you think our servers have a specific problem in dealing with high data load, you are welcome to report it to the designated communication channel and we try to reproduce your findings in a non-productive environment.
  • All activities with criminal relevance are prohibited in any form.
  • Please consider that it is possible to infringe the rights of third parties with reverse engineering. This can lead to legal consequences.
  • Do not conduct activities that could harm you or others.
  • Never endanger road safety and do not perform tests on public roads or places, but only at a secured place with a non-driving vehicle.

Data Protection Notice

Information on the processing of your personal data

Scope

 

  • Products and equipment within the scope:
  • IT systems
  • All hosts in the ownership of Audi AG
  • Apps
  • All apps, that are published by Audi AG, e.g. myAudi app
  • Vehicles that were sold under the brand Audi
  • Equipment that was sold under the brand Audi

 

 

Products and equipment outside the scope:

  • Web pages of Audi partners – occasionally Audi partner use a subdomain of .audi as address for their web site. Audi AG has no control over those web pages. Please contact the corresponding dealer if you find a vulnerability there.

Vulnerabilities

 

Disqualifying vulnerabilities

IT systems und apps:

  • Vulnerabilities outside the scope
  • Denial-of-service attack (DoS / DDoS)
  • Brute-force attack
  • Social engineering
  • Vulnerabilities without an impact on safety or security (Vulnerabilities must have a security or safety impact in order to be considered)
  • URL forwarding
  • reports, generated by automatic scan tools
  • missing TLS communication
  • expired TLS certificates

 

Vehicles:

  • Physical destruction of locks, anti-theft devices etc.
  • Gaining access to a vehicle by physical destruction
  • Use of valid diagnostic functions
  • Denial-of-service attacks on ECUs or bus systems via flooding attacks

 

 

Qualifying vulnerabilities

IT systems OWASP Top 10:

  • Injection
  • Broken Authentication
  • Cross-Site-Scripting (XSS)
  • Insecure Direct Object References
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site-Request-Forgery (CSRF)
  • Using Known Vulnerable Components
  • Unvalidated Redirects and Forwards

 

Vehicles:

  •     Vulnerabilities
        - in firmware updates and cryptographic signatures
        - in identity management
        - in embedded software frameworks
        - in debug interface
        - in network protocols
        - in authentication procedure
  • Buffer and stack overflow
  • Injection
  • Sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray etc.)
  • Unlocking a vehicle
  • Remote-code-execution
  • Compromise of the update mechanism, e. g. flashing an ECU with unauthorized firmware
  • Infringement of DSGVO-specifications: collection, usage, storage and revealing of sensitive data
back to top

© 2025 AUDI AG. All rights reserved

Notice: All consumption and emission values are based on the characteristics of the German market.