Hero Main v4.jpg

Cyber Security Vulnerability Reporting

Preserving the safety, security and quality of our products is an important issue to us. Indications from security experts are therefore of utmost importance to us. If you find a potential vulnerability in one of our products, please mail your results to vehicle.vulnerabilities@bentley.co.uk. Please pay attention to the scope and the disqualifying and qualifying vulnerabilities.

Read more


How to contact us?

Please use only the designated communication channel to report information concerning vulnerabilities.

Please send information only in English.

Provide enough details for us to reproduce the vulnerability.

What to include?

Tell us the date you found the vulnerability

In the case of a vehicle vulnerability please send us all available information about the model, VIN (Vehicle Identification Number), the component(s), part number(s) and software version.

Describe the prerequisites that need to be met to exploit the vulnerability.

Describe the tested system state and if possible, provide Proof-of-Concept code.

Don’t send findings from automated scanning tools only.

Supplementary information on handling our products

Any independent activity in context with our products is at your own risk.

Always comply with relevant laws.

If you want to examine one of our products or vehicles, only use a vehicle in your ownership or one, for that you have the permission of the owner to examine it.

Do not access or manipulate data if you do not own it or if you do not have the explicit permission of the owner.

Do not start attacks leading to denial-of-service attacks and overall avoid high network load. If you think our servers have a specific problem in dealing with high data load, you are welcome to report it to the designated communication channel and we will reproduce your findings in a non-productive environment.

All activities with criminal relevance are prohibited in any form.

Please consider that it is possible to infringe the rights of third parties with reverse engineering. This can lead to legal consequences.

Do not conduct activities that could harm you or others.

Never endanger road safety and do not perform tests on public roads or places, but only at a secured place with a non-driving vehicle.

Usually we will answer your mail within 2-3 business days and inform you about the further procedure. Please note that vehicles are subject to safety and legal regulations. Therefore it can be quite a long process to resolve vulnerabilities in vehicles e.g. because of necessary validation. So we kindly ask you to give us time (Responsible Disclosure).


Products and equipment within scope

Products and equipment within the scope:

IT systems

All hosts in the ownership of Bentley Motors Apps

All apps, that are published by Bentley Motors, e.g. My Bentley

Vehicles that were sold under the brand Bentley Motors

Equipment that was sold under the brand Bentley Motors

Products and equipment outside of the scope

Web pages of Bentley partners – occasionally Bentley partner use a subdomain of .bentleymotors as address for their web site. Bentley Motors has no control over those web pages. Please contact the corresponding dealer if you find a vulnerability there.


Disqualifying vulnerabilities found in: IT systems and apps

Vulnerabilities outside the scope

Denial-of-service attack (DoS / DDoS)

Brute-force attack

Social engineering

Vulnerabilities without an impact on safety or security (Vulnerabilities must have a security or safety impact in order to be considered)

URL forwarding

Reports, generated by automatic scan tools

Missing TLS communication

Expired TLS certificates

Disqualifying vulnerabilities found in: vehicles

Physical destruction of locks, anti-theft devices etc.

Gaining access to a vehicle by physical destruction

Use of valid diagnostic functions

Denial-of-service attacks on ECUs or bus systems via flooding attacks

Qualifying vulnerabilities found in: IT systems OWASP Top 10


Broken Authentication

Cross-Site-Scripting (XSS)

Insecure Direct Object References

Security Misconfiguration

Sensitive Data Exposure

Missing Function Level Access Control

Cross-Site-Request-Forgery (CSRF)

Using Known Vulnerable Components

Unvalidated Redirects and Forwards

Qualifying vulnerabilities found in: vehicles

Firmware updates and cryptographic signatures

Identity management

Embedded software frameworks

Debug interface

Network protocols

Authentication procedure

Buffer and stack overflow

Sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray etc.)

Unlocking a vehicle


Compromise of the update mechanism, e. g. flashing an ECU with unauthorized firmware

Infringement of GDPR-specifications: collection, usage, storage and revealing of sensitive data