Disclosure

Existing Disclosure Programs

The ASRG Disclosure Process is to support responsible disclosure when direct communication with the responsible company is unavailable or not responsive.  Please use the link here to find a list of the known existing automotive vulnerability and incident disclosure programs.

POLICY

As a Non-Profit Organisation, we support the automotive industry to build the most secure products possible and help to develop secure solutions by providing knowledge, collaborating with other market players, promoting networking and sharing information. Because of this mission, we take security issues very seriously and recognise the importance of privacy and security to protect the society from harm.

As such, we aim to provide a disclosure program for the security community by which you can report privacy and security issues related to the automotive industry and/or ecosystems (e.g. Backend systems, Charging Stations, Automotive connected services, etc). To accomplish this, we are committed to help address and report vulnerabilities through a coordinated and secure program.

All products contain bugs or unexpected behaviour under certain circumstances. If you are a Security Researcher, a Security Enthusiast, an Ethical Hacker or Developer and have discovered an issue, which you believe to be a potential security vulnerability or incident, we would like to help you with coordination during the vulnerability disclosure process and to handle and fix the found problem, finally. To do this please proceed as follows and choose the appropriate way to contact us.

Our disclosure program aims to protect both the maintainer and the reporting researcher, allowing automotive manufacturers, suppliers and service providers to safely benefit from the discovery of these vulnerabilities or incidents prior to public disclosure, rewarding those researchers for their dedication on one hand and helping automotive product consumers to get more secure products on other hand.

We invite you to provide your information by using the following PGP key at [email protected].

Automotive Security Research Group <[email protected]> (AF0633B2ECC7A7B4)

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBGPJkyMBEADMzFFclPmDd8swq891NyETvAS6hzppG5CwlQ9st52W0HlVMop4
oylPh swFW7nCifJAbMnz1WxVKKP0aYRWOCYK1mrJ/a01FZIQIxQqJUWx3zglF95
FTp4OqiO4u 5NwTz4NGRouXdHTEeL2C1FgwYGMntDPAihKjUnSbqnSeulfs6VBnU
Fy2G8jXYnubi4/sQ7TAHR/e0LruXVWhCmKa7Dd00kSRljdcerE2nn6DX61UWBdTl
UIffQCRY0oU5ZP5nH2Y ltFLe7bKJu3QtrQqhMCZZBKHmgY4hK7zoKEWBOBhr0hU
GQKaRHBPhNu6Z4sAuksGkXbE2KRxfEIOMKLg2y5q/mdG2NcjTZXXDbXf6Gi3SMyB
S7uybA1DofXQ1cEhCA/iSxtar5pcFMXrijkFVe7VRDH/qrl5h7anY4Jlrh74HUri
rFWINb4sTbxFKQ/dwUL5CXdYMdsIh9UBiFWFOywoK02ZZ0skJOPmBpjmUdAvFjR3
JoW20MrjONkoGi3ZXoKy7MCHA/MEiZ ewveAq8njZpaPcwYZO/lDROC/xf8mpMHT
dPz23D 5TjwoLpQw927oEXCw nuus2iLPREVuQIhy9/QhBTatDjtn2CNbNloKUXB
ha167VCvj821fx1U7kOktNphVgwMfdqbiypFEhxZZdPQyIfSdPf/PU9pTwARAQAB
tDVBdXRvbW90aXZlIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIDxzZWN1cml0eUBh
c3JnLmlvPokCVAQTAQgAPhYhBDDP/3M3Z7lbyhsGwq8GM7Lsx6e0BQJjyZMjAhsD
BQkHhh9QBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEK8GM7Lsx6e00wkP/3Nz
Z OlK/ZaE337RqsZnlZJBnP7hTLMx7dLN851pNizGQse08/rvoiQl6NFAZRTIN3O
2H3LlW8Zg/ihl3nFjwK93nYqlvEty3nLQtoP/e5eG2zfvbJxscUdu17YmYXlRCA2
 0kFHQEH0HYCEpDrK92ipz5cR2vNj9coSY1n6syTR cAAyiToVzZP5WYAssW q0S
4PoIpeUKwu7GOVFKGtnKUsp I4KgeFj FEtmxb93ss6qdfvZkKWq5Iu/C9MR1lXQ
xSaFifWpY8DFE4PHtgyh1xEPJVO02k 0WmpmuGvB x99RlzjGes2bKJhPHoYUAY1
4eqagXwK5dPpYiAW5ltinMVbSGlzKwrfNrGOJWtMxVkIMcxW1SABL/Uy2NvuMlLM
9Ti03cayZcvM9aVzf96aQRkN7Ttert/8RYbL5SLreYoq/eqxxT/TTkcy4qN1ryKx
Z3htduzpOMphubrs8wfM646oMsrSe495J1ZfZNjmwG 2 c9nhr9g/sEuho7Lc0lP
QO4Mh9f6hezjhjzOiNdwqOC6vRZTU5OSv7AbNMKPgdI/QD3lMLcY 5pvtzqsGFxt
6q5toG8ADDr0HzynFfuI6Khu9p/WAFm7TLigXKasmgKsK4fjzmFN31BKst/Xrjgj
1UThjKsYMs5VMCMy/yg8n A/OmFRx6uCimEXOtmmuQINBGPJkyMBEADA zbYZmDs
e0lkU7kKBlzPo10Ae2CIGMqjhsRsX4hohgurEuKw sC2pdkM9bq3rcLmBO66YpLQ
QbgHdHeKeDPPqIe9V3vVrFGRNadxc2z2GWr fPHz4IQt6/KR8DEaFoJt8JFRUQ5L
14Ng /DleW9aRRzRnDfpsCxNi9xjMz7p31fiaU3g2Im4/EwwxMv5bhWpTajQlszl
IdFS3//QUweyLascVYEfIX 3Gzrc4uGxLALiE8zbkWz5FGSjNOA1hvpt08QfFpGZ
lnjFtu/GrhzSE0kxbsP3MYHvTjDVif/oL8i1y12jIXE umjHaWuyHwHmRAML9/9x
ih93kiYbUzfYkazqsWWzhEescQ7l2u4NTMlxKzZzOw/u 8C UISSiORRkQf ZkiO
3kz1oC89i8j/s8LVouOXojxN4YxjiBntLfXaOSWTeb3q7oBH iaGvUi6TgiF5xAW
aWP3zd1H/n/6641 mtem2zesX0uFObisYC1DbhPq 1hjFq/ZeCbO90NclAAbv 0D
8v feats/pAjFhmHptjkkez4Gk7s5Z1DTyMXI9ryIX2lN94p415PRqQDPU5G0Fqt
jgK0LJFIxqDUiWOHdglUDTTQopDmMt1GfqWoJE9iNpASmGmeTtioHjOUZe3nI Ua
p95lCIUwTGBY85TmT7yUJh/gNVlDYBFj5wARAQABiQI8BBgBCAAmFiEEMM//czdn
uVvKGwbCrwYzsuzHp7QFAmPJkyMCGwwFCQeGH1AACgkQrwYzsuzHp7QtDw//dEem
r o6DvlgoJa3S7TtIeiC/Ply0PLuiqsW80MbHwl7mrr2 XwEd4OHN6nwHSWQIRIj
AJ5VyvhVzo60s5ZVptZnIjG1jTbcaZ/xzCTA27nF56AsgJJ6OxyXISby bRCC YF
WQC9hKmUUuizrrrKwdiEqJ/FJ/Q58f45QJkKt9IxFCKiJqr1ct23yl09QSZlclL9
FEpw094CmLLqQ14hvUa6/rk6oKn/ljL2FFlLd dNATkGzbushu1jCr2xLzGkSv9i
muWOUmPay/043hEbWIIo6t7eeEOBUayC4BsbykLYCUJS9qdvB2s 3u8RpRz37Hy5
S3Z/pZF Opcixzs9GscvJAiS77EPz8dP4 sI6rJDWglUseUvOpcj60RaDOW2dgxr
AQvvAsCYYGyr2z2suW iI xGD06G9FxXHooWyDMySKSGvaY9nFv6HO20w41M7zEA
FS2bvzQ6vhHYLTz1cURy1MAUir3LiHyoks5khzCIODnnafRzY87tiPRNYHOlOddc
STu86Os0GGVrZM0A4jfJ8YqZTE6tdKF8pyUtycUI3zXlkVIxJhIxAUL067xSWFiy
D2jhIBMtDgcQ/iHlcPIjHcT/wW1WNS7QvzSdQnxRL3AHS0bUM2fPXhghgjgtfpJt
YZ367U0ffXdBx2DKE1CXT6sP3iJpF/UM9Lnd Ic=
=cQFH
—–END PGP PUBLIC KEY BLOCK—–

A submitted vulnerability report should contain the following details as a minimum:

  • affected component
  • service or product in case it is important the versions of the affected components
  • services or products relevant vendor and ecosystem information
  • vulnerability or incident details
  • steps to reproduce it (proof-of-concept)

Please take care, because we do not want to receive:

  • Personally identifiable information (PII) from 3rd parties

PROCESS

Issuer: The person or entity who has submitted the disclosure report and initiated the disclosure process.

ASRG: Moderator the ASRG disclosure process.

All communication during the disclosure process must remain confidential until the agreed time point.  

Once ASRG received your report, we will take the following steps:

  1. ASRG will review the content of the provided information and claim of the disclosure.  In the case of open questions, or needed clarification, ASRG will contact the issuer to clarify the information gaps.
  2. If the report meets the required quality and content, ASRG will contact the affected manufacturer. In case the issuer will be directly involved in the communication with the manufacturer, ASRG will establish this communication channel.
  3. ASRG will relay the vulnerability details, and collaborate on a public disclosure timeline.
  4. After notification, and if none of the involved parties requests another option, ASRG follows a 90-day responsible disclosure and remediation timeline. ASRG’s interest is to grant the affected manufacturer a period of time for fixing the vulnerability and preventing any future damage to public consumers and the manufacturer itself before the information will be publicly announced. Furthermore, an extension of this time period can be provided at the manufacturer’s request, and depending on the severity or complexity of the disclosed vulnerability, ASRG is going to wait for the publication until an effective fix is available.
  5. If the affected manufacturer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, ASRG resends the vulnerability details to the original point of contact of the manufacturer and at least one secondary contact, if a secondary contact is publicly available.
  6. If additional 10 business days elapse with no response from the manufacturer after the second notification (in total 40 business days since the original notification), ASRG resends the vulnerability details not only to the previous two contacts but also to confidential stakeholders like Auto-ISAC.
  7. In case the affected manufacturer does not respond to any of the three notification attempts within additional 10 business days following the third notification (in total 50 business days since the original notification), or if the manufacturer indicates they do not wish to coordinate disclosure, ASRG may elect to issue a public advisory with no further collaboration after 90 days publication embargo.
  8. After receiving a statement from the affected manufacturer, ASRG will evaluate it together with the issuer and decide on further steps depending on the response.
  9. ASRG will clarify together with the affected manufacturer and the issuer what is the best way for everyone involved to publish the discovered vulnerability giving full credit to the originator of the issue.
  10. ASRG, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.

The affected manufacturer should acknowledge receiving notifications to ASRG with the following details:

 

  • first confirmation that the vulnerability information has been received
  • a point of contact responsible for coordinating and tracking information on the provided issue within their company
  • an estimation up to when the completion of the initial investigation will be completed
  • a timeline needed for own investigations
  • provide information updates
  • if needed request the official to extend the time period for fixing before publication

We greatly appreciate the efforts of different kinds of dedicated people to discover security vulnerabilities and share this information in a trustful way. ASRG commits to respect the interest of the isser and can help to solve possible escalation situations.