Responsible Disclosure Policy:

This page is for cybersecurity researchers interested in reporting product cybersecurity vulnerabilities of ESR Labs as part of Accenture Industry X. This is intended for product cybersecurity vulnerabilities only.

If you have reported an issue determined to be within program scope, is determined to be a valid cybersecurity issue, and you have followed program guidelines, ResponsibleDisclosure.com will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to responsibledisclosure.com.

Typical Vulnerabilities Accepted:

• Code execution Attacks on Secure Automotive Controls. e.g. Bootloaders,Diagnosis Access, Communication channels
• Physical Attacks on Secured Automotive Embedded ECUs
• Electrical glitching attacks
• Denial of Service Attacks, Replay Attacks on Secure Automotive Gateways
• Compromise if over the air software updates procedures for Secured Embedded Automotive ECUs
• Extraction of secret material
• Other automotive related vulnerabilities with demonstrated impact
• OWASP vulnerabilities
• Vulnerabilities found in Opensource originated from ESR Labs

Typical Out of Scope:

• Theoretical vulnerabilities
• Informational disclosure of non-sensitive data

For a full list of program scope please visit the Responsible Disclosure details page.

Responsible Disclosure Guidelines:

• Adhere to all legal terms and conditions outlined at responsibledisclosure.com
• Work directly with ResponsibleDisclosure.com on vulnerability submissions
• Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
• Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
• Do not engage in social engineering or phishing of customers or employees
• Do not request compensation for time and materials or vulnerabilities discovered