Cyber Security Vulnerability Reporting
Preserving the safety, security and quality of our products is an important issue to us. Indications from security experts are therefore of utmost importance to us. If you find a potential vulnerability in one of our products, please mail your results to vehicle.vulnerabilities@bentley.co.uk. Please pay attention to the scope and the disqualifying and qualifying vulnerabilities.
CONTACT
Please use only the designated communication channel to report information concerning vulnerabilities.
Please send information only in English.
Provide enough details for us to reproduce the vulnerability.
Tell us the date you found the vulnerability
In the case of a vehicle vulnerability please send us all available information about the model, VIN (Vehicle Identification Number), the component(s), part number(s) and software version.
Describe the prerequisites that need to be met to exploit the vulnerability.
Describe the tested system state and if possible, provide Proof-of-Concept code.
Don’t send findings from automated scanning tools only.
Any independent activity in context with our products is at your own risk.
Always comply with relevant laws.
If you want to examine one of our products or vehicles, only use a vehicle in your ownership or one, for that you have the permission of the owner to examine it.
Do not access or manipulate data if you do not own it or if you do not have the explicit permission of the owner.
Do not start attacks leading to denial-of-service attacks and overall avoid high network load. If you think our servers have a specific problem in dealing with high data load, you are welcome to report it to the designated communication channel and we will reproduce your findings in a non-productive environment.
All activities with criminal relevance are prohibited in any form.
Please consider that it is possible to infringe the rights of third parties with reverse engineering. This can lead to legal consequences.
Do not conduct activities that could harm you or others.
Never endanger road safety and do not perform tests on public roads or places, but only at a secured place with a non-driving vehicle.
Usually we will answer your mail within 2-3 business days and inform you about the further procedure. Please note that vehicles are subject to safety and legal regulations. Therefore it can be quite a long process to resolve vulnerabilities in vehicles e.g. because of necessary validation. So we kindly ask you to give us time (Responsible Disclosure).
Scope
Products and equipment within the scope:
IT systems
All hosts in the ownership of Bentley Motors Apps
All apps, that are published by Bentley Motors, e.g. My Bentley
Vehicles that were sold under the brand Bentley Motors
Equipment that was sold under the brand Bentley Motors
Web pages of Bentley partners – occasionally Bentley partner use a subdomain of .bentleymotors as address for their web site. Bentley Motors has no control over those web pages. Please contact the corresponding dealer if you find a vulnerability there.
Vulnerabilities
Vulnerabilities outside the scope
Denial-of-service attack (DoS / DDoS)
Brute-force attack
Social engineering
Vulnerabilities without an impact on safety or security (Vulnerabilities must have a security or safety impact in order to be considered)
URL forwarding
Reports, generated by automatic scan tools
Missing TLS communication
Expired TLS certificates
Physical destruction of locks, anti-theft devices etc.
Gaining access to a vehicle by physical destruction
Use of valid diagnostic functions
Denial-of-service attacks on ECUs or bus systems via flooding attacks
Injection
Broken Authentication
Cross-Site-Scripting (XSS)
Insecure Direct Object References
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site-Request-Forgery (CSRF)
Using Known Vulnerable Components
Unvalidated Redirects and Forwards
Firmware updates and cryptographic signatures
Identity management
Embedded software frameworks
Debug interface
Network protocols
Authentication procedure
Buffer and stack overflow
Sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray etc.)
Unlocking a vehicle
Remote-code-execution
Compromise of the update mechanism, e. g. flashing an ECU with unauthorized firmware
Infringement of GDPR-specifications: collection, usage, storage and revealing of sensitive data