Cyber Security Audi Vulnerability Reporting Policy

• Please use only the designated communication channel to report information concerning vulnerabilities.
  
• Please send information only in German or English.
  
• We strongly encourage you to encrypt all e-mail communications with the public PGP-key, to protect the confidentiality of the data.
  
• Provide enough details for us to reproduce the vulnerability

1. Tell us the date you found the vulnerability
   
2. In the case of a vehicle vulnerability please send us all available information about the model, VIN (Vehicle Identification Number), the component(s), part number(s) and software version.
   
3. Describe the prerequisites that need to be met to exploit the vulnerability.
   
4. Describe the tested system state and if possible, provide Proof-of-Concept code.
   
5. Don’t send findings from automated scanning tools only.

Usually we will answer your mail within 2-3 business days and inform you about the further procedure.
Please note that vehicles are subject to safety and legal regulations. Therefore it can be quite a long process to resolve vulnerabilities in vehicles e.g. because of necessary validation. So we kindly ask you to give us time (Responsible Disclosure).

• Products and equipment within the scope:
• IT systems
  All hosts in the ownership of Audi AG
  
• Apps
  All apps, that are published by Audi AG, e.g. myAudi app
  
• Vehicles that were sold under the brand Audi
  
• Equipment that was sold under the brand Audi

• Web pages of Audi partners – occasionally Audi partner use a subdomain of .audi as address for their web site. Audi AG has no control over those web pages. Please contact the corresponding dealer if you find a vulnerability there.

IT systems und apps:

• Vulnerabilities outside the scope
  
• Denial-of-service attack (DoS / DDoS)
  
• Brute-force attack
  
• Social engineering
  
• Vulnerabilities without an impact on safety or security (Vulnerabilities must have a security or safety impact in order to be considered)
  
• URL forwarding
  
• reports, generated by automatic scan tools
  
• missing TLS communication
  
• expired TLS certificates

Vehicles:

• Physical destruction of locks, anti-theft devices etc.
  
• Gaining access to a vehicle by physical destruction
  
• Use of valid diagnostic functions
  
• Denial-of-service attacks on ECUs or bus systems via flooding attacks

IT systems OWASP Top 10:

• Injection
  
• Broken Authentication
  
• Cross-Site-Scripting (XSS)
  
• Insecure Direct Object References
  
• Security Misconfiguration
  
• Sensitive Data Exposure
  
• Missing Function Level Access Control
  
• Cross-Site-Request-Forgery (CSRF)
  
• Using Known Vulnerable Components
  
• Unvalidated Redirects and Forwards

Vehicles:

• Vulnerabilities
  - in firmware updates and cryptographic signatures
  - in identity management
  - in embedded software frameworks
  - in debug interface
  - in network protocols
  - in authentication procedure
  
• Buffer and stack overflow
  
• Injection
  
• Sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray etc.)
  
• Unlocking a vehicle
  
• Remote-code-execution
  
• Compromise of the update mechanism, e. g. flashing an ECU with unauthorized firmware
  
• Infringement of DSGVO-specifications: collection, usage, storage and revealing of sensitive data