Cyber Security Audi Vulnerability Reporting Policy
- Please use only the designated communication channel to report information concerning vulnerabilities.
- Please send information only in German or English.
- We strongly encourage you to encrypt all e-mail communications with the public PGP-key, to protect the confidentiality of the data.
- Provide enough details for us to reproduce the vulnerability
- Tell us the date you found the vulnerability
- In the case of a vehicle vulnerability please send us all available information about the model, VIN (Vehicle Identification Number), the component(s), part number(s) and software version.
- Describe the prerequisites that need to be met to exploit the vulnerability.
- Describe the tested system state and if possible, provide Proof-of-Concept code.
- Don’t send findings from automated scanning tools only.
Usually we will answer your mail within 2-3 business days and inform you about the further procedure.
Please note that vehicles are subject to safety and legal regulations. Therefore it can be quite a long process to resolve vulnerabilities in vehicles e.g. because of necessary validation. So we kindly ask you to give us time (Responsible Disclosure).
Supplementary information on handling our products
- Any independent activity in context with our products is at your own risk.
- Always comply with relevant laws.
- If you want to examine one of our products or vehicles, only use a vehicle in your ownership or one, for that you have the permission of the owner to examine it.
- Do not access or manipulate data if you do not own it or if you do not have the explicit permission of the owner.
- Do not start attacks leading to denial-of-service attacks and overall avoid high network load. If you think our servers have a specific problem in dealing with high data load, you are welcome to report it to the designated communication channel and we try to reproduce your findings in a non-productive environment.
- All activities with criminal relevance are prohibited in any form.
- Please consider that it is possible to infringe the rights of third parties with reverse engineering. This can lead to legal consequences.
- Do not conduct activities that could harm you or others.
- Never endanger road safety and do not perform tests on public roads or places, but only at a secured place with a non-driving vehicle.
- Products and equipment within the scope:
- IT systems
All hosts in the ownership of Audi AG
All apps, that are published by Audi AG, e.g. myAudi app
- Vehicles that were sold under the brand Audi
- Equipment that was sold under the brand Audi
Products and equipment outside the scope:
- Web pages of Audi partners – occasionally Audi partner use a subdomain of .audi as address for their web site. Audi AG has no control over those web pages. Please contact the corresponding dealer if you find a vulnerability there.
IT systems und apps:
- Vulnerabilities outside the scope
- Denial-of-service attack (DoS / DDoS)
- Brute-force attack
- Social engineering
- Vulnerabilities without an impact on safety or security (Vulnerabilities must have a security or safety impact in order to be considered)
- URL forwarding
- reports, generated by automatic scan tools
- missing TLS communication
- expired TLS certificates
- Physical destruction of locks, anti-theft devices etc.
- Gaining access to a vehicle by physical destruction
- Use of valid diagnostic functions
- Denial-of-service attacks on ECUs or bus systems via flooding attacks
IT systems OWASP Top 10:
- Broken Authentication
- Cross-Site-Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site-Request-Forgery (CSRF)
- Using Known Vulnerable Components
- Unvalidated Redirects and Forwards
- in firmware updates and cryptographic signatures
- in identity management
- in embedded software frameworks
- in debug interface
- in network protocols
- in authentication procedure
- Buffer and stack overflow
- Sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray etc.)
- Unlocking a vehicle
- Compromise of the update mechanism, e. g. flashing an ECU with unauthorized firmware
- Infringement of DSGVO-specifications: collection, usage, storage and revealing of sensitive data
Models, products and services – switch to your country / sales region website and discover the regional diversity of Audi.