• Home
  • Legal
  • Cyber Security Audi Vulnerability Reporting Policy

Cyber Security Audi Vulnerability Reporting Policy

Preserving the safety, security and quality of our products is an important issue to us. Indications from security experts are therefore of utmost importance to us. If you find a potential vulnerability in one of our products, please mail your results to vulnerability@audi.de. Please pay attention to the scope and the disqualifying and qualifying vulnerabilities.


  • Please use only the designated communication channel to report information concerning vulnerabilities.
  • Please send information only in German or English.
  • We strongly encourage you to encrypt all e-mail communications with the public PGP-key, to protect the confidentiality of the data.
  • Provide enough details for us to reproduce the vulnerability
  1. Tell us the date you found the vulnerability
  2. In the case of a vehicle vulnerability please send us all available information about the model, VIN (Vehicle Identification Number), the component(s), part number(s) and software version.
  3. Describe the prerequisites that need to be met to exploit the vulnerability.
  4. Describe the tested system state and if possible, provide Proof-of-Concept code.
  5. Don’t send findings from automated scanning tools only.

Usually we will answer your mail within 2-3 business days and inform you about the further procedure.
Please note that vehicles are subject to safety and legal regulations. Therefore it can be quite a long process to resolve vulnerabilities in vehicles e.g. because of necessary validation. So we kindly ask you to give us time (Responsible Disclosure).

Supplementary information on handling our products

More details

  • Any independent activity in context with our products is at your own risk.
  • Always comply with relevant laws.
  • If you want to examine one of our products or vehicles, only use a vehicle in your ownership or one, for that you have the permission of the owner to examine it.
  • Do not access or manipulate data if you do not own it or if you do not have the explicit permission of the owner.
  • Do not start attacks leading to denial-of-service attacks and overall avoid high network load. If you think our servers have a specific problem in dealing with high data load, you are welcome to report it to the designated communication channel and we try to reproduce your findings in a non-productive environment.
  • All activities with criminal relevance are prohibited in any form.
  • Please consider that it is possible to infringe the rights of third parties with reverse engineering. This can lead to legal consequences.
  • Do not conduct activities that could harm you or others.
  • Never endanger road safety and do not perform tests on public roads or places, but only at a secured place with a non-driving vehicle.

Data Protection Notice

Information on the processing of your personal data


  • Products and equipment within the scope:
  • IT systems
    All hosts in the ownership of Audi AG
  • Apps
    All apps, that are published by Audi AG, e.g. myAudi app
  • Vehicles that were sold under the brand Audi
  • Equipment that was sold under the brand Audi

Products and equipment outside the scope:

  • Web pages of Audi partners – occasionally Audi partner use a subdomain of .audi as address for their web site. Audi AG has no control over those web pages. Please contact the corresponding dealer if you find a vulnerability there.



Disqualifying vulnerabilities

IT systems und apps:

  • Vulnerabilities outside the scope
  • Denial-of-service attack (DoS / DDoS)
  • Brute-force attack
  • Social engineering
  • Vulnerabilities without an impact on safety or security (Vulnerabilities must have a security or safety impact in order to be considered)
  • URL forwarding
  • reports, generated by automatic scan tools
  • missing TLS communication
  • expired TLS certificates


  • Physical destruction of locks, anti-theft devices etc.
  • Gaining access to a vehicle by physical destruction
  • Use of valid diagnostic functions
  • Denial-of-service attacks on ECUs or bus systems via flooding attacks

Qualifying vulnerabilities

IT systems OWASP Top 10:

  • Injection
  • Broken Authentication
  • Cross-Site-Scripting (XSS)
  • Insecure Direct Object References
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site-Request-Forgery (CSRF)
  • Using Known Vulnerable Components
  • Unvalidated Redirects and Forwards


  • Vulnerabilities
    - in firmware updates and cryptographic signatures
    - in identity management
    - in embedded software frameworks
    - in debug interface
    - in network protocols
    - in authentication procedure
  • Buffer and stack overflow
  • Injection
  • Sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray etc.)
  • Unlocking a vehicle
  • Remote-code-execution
  • Compromise of the update mechanism, e. g. flashing an ECU with unauthorized firmware
  • Infringement of DSGVO-specifications: collection, usage, storage and revealing of sensitive data


Audi worldwide

Models, products and services – switch to your country / sales region website and discover the regional diversity of Audi.



    You are using an unsupported browser to access this website. To get the best User-Experience while visiting the website, please use the latest versions of Chrome, Firefox, Safari or Edge.

    Thank you very much for your visit.
    Your Audi Team

    The international Audi website

    Discover Audi as a brand, company and employer on our international website. Experience our vision of mobility and let yourself be inspired.

    Audi of America: models, products and services

    Explore the full lineup of SUVs, sedans, e-tron models & more. Build your own, search inventory and explore current special offers.

    Switch to audiusa.com

    Error report

    The feedback form is currently unavailable.
    Please try again later.

    You may deactivate your ad blocker to view the feedback form.