As a Non-Profit Organization, we support the automotive industry to build the most secure products possible and help to develop secure solutions by providing knowledge, collaborating with other market players, promoting networking and sharing information. Because of this mission, we take security issues very seriously and recognize the importance of privacy and security to protect the society from harm.
As such, we aim to provide a disclosure program for the security community by which you can report privacy and security issues related to the automotive industry and/or ecosystems (e.g. Backend systems, Charging Stations, Automotive connected services, etc). To accomplish this, we are committed to help address and report vulnerabilities through a coordinated and secure program.
All products contain bugs or unexpected behavior under certain circumstances. If you are a Security Researcher, a Security Enthusiast, an Ethical Hacker or even a Developer and have discovered an issue, which you believe to be a potential security vulnerability or incident, we would like to help you with coordination during the vulnerability disclosure process and to handle and fix the found problem, finally. To do this please proceed as follows and choose the appropriate way to contact us.
Our disclosure program aims to protect both the maintainer and the reporting researcher, allowing automotive manufacturers, suppliers and service providers to safely benefit from the discovery of these vulnerabilities or incidents prior to public disclosure, rewarding those researchers for their dedication on one hand and helping automotive product consumers to get more secure products on other hand.
We invite you to provide your information by using the following PGP key at [email protected].
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEXfZaxhYJKwYBBAHaRw8BAQdA8nf5HBmWodXYFL0lFkFseDbLEsK9z6hVE4q5 T1roMp20NUF1dG9tb3RpdmUgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAgPHNlY3Vy aXR5QGFzcmcuaW8+iJAEExYIADgWIQQJpZIJ9bdEZ/TyJ5DA7r+5geeN/wUCXfZa xgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDA7r+5geeN/6AoAQCr7Kry oLGWRYfpxTnLmEvd1syWLRfQec4Phq2TlDJkIgEAiyTddc9MSqTmlO6yOmWEDYgG ARRxqB05BzHm+zjXFwi4OARd9lrGEgorBgEEAZdVAQUBAQdAad6SKDErYMStAspI X6EdwaDYWf4zmuRs8Ug3u6rqS1EDAQgHiHgEGBYIACAWIQQJpZIJ9bdEZ/TyJ5DA 7r+5geeN/wUCXfZaxgIbDAAKCRDA7r+5geeN/5+nAQDp4lvcUgS2sVarziTbsYFp k8k5us1L9byizd6vmeEJRwEA1hra8B6BY066r2n8ciVbKaT5hdI8mjxYNhKqPjp3 pA4= =HtMt -----END PGP PUBLIC KEY BLOCK-----
A submitted vulnerability report should contain the following details as a minimum:
- affected component
- service or product in case it is important the versions of the affected components
- services or products relevant vendor and ecosystem information
- vulnerability or incident details
- steps to reproduce it (proof-of-concept)
Please take care, because we do not want to receive:
- Personally identifiable information (PII) from 3rd parties
Once ASRG received your report, we will take several steps:
- ASRG requests the issue provider to keep any communication regarding the vulnerability confidential until the completion of the disclosure process as ASRG are doing it as well.
- In case the vulnerability report is not fully understandable or incomplete, ASRG will contact the issue provider to clarify the information gaps.
- If the report fulfills the needed information quality, ASRG will contact the affected manufacturer. In case the issue provider will be directly involved in the communication with the manufacturer ASRG will establish this communication channel.
- ASRG will relay the vulnerability details, advise on potential remediation, and collaborate on a public disclosure timeline.
- If none of the involved parties requests another option, ASRG follows a 90-day responsible disclosure and remediation timeline. ASRG’s interest is it to grant the affected manufacturer a period of time for fixing the vulnerability and preventing any future damage for public consumers and the manufacturer itself before the information will be publicly announced. Furthermore, an extension of this time period can be provided at manufacturer’s request and depending on the severity or complexity of the disclosed vulnerability, ASRG is going to wait for the publication until an effective fix is available.
- If the affected manufacturer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, ASRG resend the vulnerability details to the original point of contact of the manufacturer and at least one secondary contact, if a secondary contact is publicly available.
- If additional 10 business days elapse with no response from the manufacturer after the second notification (in total 40 business days since original notification), ASRG resend the vulnerability details not only to the previous two contacts, but also to confidential stakeholders like Auto-ISAC.
- In case the affected manufacturer does not respond to any of the three notification attempts within additional 10 business days following the third notification (in total 50 business days since original notification), or if the manufacturer indicates they do not wish to coordinate disclosure, ASRG may elect to issue a public advisory with no further collaboration after 90 days publication embargo.
- After receiving a statement from the affected manufacturer, ASRG will evaluate it together with the issue provider and decide for further steps depended on the response.
- ASRG will clarify together with the affected manufacturer and the issue provider what is the best way for everyone involved to publish the discovered vulnerability giving full credit to the originator of the issue.
- ASRG, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.
The affected manufacturer should acknowledge receiving of notifications to ASRG with the following details:
- first confirmation that the vulnerability information has been received
- a point of contact responsible for coordinating and tracking information on the provided issue within their company
- an estimation up to when the completion of the initial investigation will be completed
- a timeline needed for own investigations
- provide information updates
- if needed request official to extend the time period for fixing before publication
We greatly appreciate the efforts of different kind of dedicated people to discover security vulnerabilities and share this information in a trustful way. ASRG commit to respect the interest of the issue provider and can help to solve possible escalation situations.