It is Daimler’s goal to offer its customers the best and most secure products such as connected cars and other services. Daimler values the work of security researchers and whitehat hackers who spend time and effort helping us to achieve this goal.
If you have found a vulnerability or other security issues in our infrastructure or products, please feel free to contact us. We will work with you to resolve the issue.
Safety first! Don't do anything that could cause harm to yourself or others. Keep in mind that a vehicle has several systems like airbags that could cause serious injury when misused. If in doubt, let it be.
If you work on a vehicle, don't try anything that could interfere with road safety and don't experiment on public roads. Only perform testing in a safe place with a stationary vehicle.
Use special caution when interacting with safety-critical devices such as brake systems, steering components, the engine or high voltage components like the car battery.
Always obey your local laws!
If you work on a product or vehicle, use only a vehicle that you own or have the owners permission to work on. Do not modify or copy data that doesn't belong to you. We explicitly reject criminal activity in any form.
We utilize code written by third-parties. That code parts belong to their respective owners. We can’t grant you permission to reverse engineer any of that code.
Coordinated Disclosure Guidelines
- Please read our guidelines which vulnerabilities qualify for reporting
- Test only systems in Scope
- Please provide the details we need to reproduce the vulnerability.
- Describe the prerequisites that need to be met to exploit the vulnerability
- Describe the tested system state
- If possible, provide Proof-of-Concept code
- If your report is about a vehicle, please tell us make, model, VIN, and if possible the names and part numbers of the affected components.
- When searching for vulnerabilities, please try to be as little intrusive as possible. Use only harmless payloads in your exploits.
- Do not disrupt our services with intend and make an good-will effort to do not disrupt our services by accident.
- Use test accounts and don’t compromise other users accounts, data or privacy
- Don’t use or report findings from automated scanning tools
- Don’t start DoS attacks or try to generate high loads in general. If you think our servers have a specific problem in handling high loads you can discuss that theoretically with us and we try to reproduce your findings in a non-productive environment
All hosts owned by Daimler AG.
All Apps published by Daimler AG, for example:
- Mercedes me
- Mercedes me Adapter
- Remote Park-Pilot
- Mercedes-Benz Guides
- Smart cross connect
- All Vehicles sold under the brands
- Any accessory or component for use with the above vehicles sold under these brands
- Dealership Websites - Some Dealerships use a subdomain of mercedes-benz.com to host their websites. Nevertheless Daimler is not in control of these sites. Please contact the appropriate Dealership in these cases.
- OWASP Embedded Application Security Top 10
- Remote Code Execution
- Sensitive Data Exposure
- Broken Authentication
- Compromise of update mechanisms, e.g. Flashing an ECU with arbitrary firmware
- Remote sending of arbitrary data on in-vehicle bus systems (CAN,LIN, Flexray, etc)
- Unlocking vehicle functions
- OWASP Top 10
- Broken Authentication and Session Management
- Cross-Site-Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
Discovering vulnerabilities from applications/systems not listed in scope, Denial of Service (DoS/DDoS), Brute Force attacks and Social engineering attacks are prohibited. Only vulnerabilities with security impact will be considered.
- Physical destruction of locks / anti-theft mechanisms, etc.
- Gaining access to the car by physical destruction
- Use of valid diagnostic functions
- DoS of ECUs or Bus Systems through Flooding
- Bugs that require a very high level of user interaction (e.g. typing the complete exploit code into an input field)
- Logout CSRF
- Absence of TLS-Communication (e.g. http only, in contrast to the use of broken TLS mechanisms)
- Expired TLS certificates
- URL redirection
- Reports generated by automatic scanning tools
If you found a flaw in an application written by a third-party we will try to contact them and forward your findings to them in an anonymized form. In this case we will ask you if you want your contact details to be sent to the third-party, so that they can further discuss that topic with you.
Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We try to work out a disclosure timeline with you.
Please be aware that other than standard IT systems we cannot force somebody to install an update as the vehicles belong to our customers and are not under our control. Therefore it can take a long time after a patch is released before a significant part of vehicles on the road are patched.
We try to answer your mail within two business days. If possible please send your mail in English. Mails in other languages might take significantly more time for us to reply. After our first answer we will evaluate your findings and an expert will contact you within a week.
Note: If you found a flaw in our vehicles, please note that fixing a bug in a vehicle is a substantially different process than fixing a bug in classic IT systems. Vehicle software needs to meet high safety and regulatory requirements, therefore fixing a bug takes significantly more time.
Before submitting a report, please read our Coordinated Disclosure Guidelines above.
You can submit any vulnerability in our systems and products to firstname.lastname@example.org using PGP or S/MIME. The corresponding public key can be requested here.