Disclosure

Existing Disclosure Programs

The ASRG Disclosure Process is to support responsible disclosure when direct communication with the responsible company is unavailable or not responsive.  Please use the link here to find a list of the known existing automotive vulnerability and incident disclosure programs.

POLICY

As a Non-Profit Organisation, we support the automotive industry to build the most secure products possible and help to develop secure solutions by providing knowledge, collaborating with other market players, promoting networking and sharing information. Because of this mission, we take security issues very seriously and recognise the importance of privacy and security to protect the society from harm.

As such, we aim to provide a disclosure program for the security community by which you can report privacy and security issues related to the automotive industry and/or ecosystems (e.g. Backend systems, Charging Stations, Automotive connected services, etc). To accomplish this, we are committed to help address and report vulnerabilities through a coordinated and secure program.

All products contain bugs or unexpected behaviour under certain circumstances. If you are a Security Researcher, a Security Enthusiast, an Ethical Hacker or Developer and have discovered an issue, which you believe to be a potential security vulnerability or incident, we would like to help you with coordination during the vulnerability disclosure process and to handle and fix the found problem, finally. To do this please proceed as follows and choose the appropriate way to contact us.

Our disclosure program aims to protect both the maintainer and the reporting researcher, allowing automotive manufacturers, suppliers and service providers to safely benefit from the discovery of these vulnerabilities or incidents prior to public disclosure, rewarding those researchers for their dedication on one hand and helping automotive product consumers to get more secure products on other hand.

We invite you to provide your information by using the following PGP key at [email protected].

A submitted vulnerability report should contain the following details as a minimum:

  • affected component
  • service or product in case it is important the versions of the affected components
  • services or products relevant vendor and ecosystem information
  • vulnerability or incident details
  • steps to reproduce it (proof-of-concept)

Please take care, because we do not want to receive:

  • Personally identifiable information (PII) from 3rd parties

Public Key

Please use this public key to encrypt your disclosure submission to us.

PROCESS

Issuer: The person or entity who has submitted the disclosure report and initiated the disclosure process.

ASRG: Moderator the ASRG disclosure process.

All communication during the disclosure process must remain confidential until the agreed time point.  

Once ASRG received your report, we will take the following steps:

  1. ASRG will review the content of the provided information and claim of the disclosure.  In the case of open questions, or needed clarification, ASRG will contact the issuer to clarify the information gaps.
  2. If the report meets the required quality and content, ASRG will contact the affected manufacturer. In case the issuer will be directly involved in the communication with the manufacturer, ASRG will establish this communication channel.
  3. ASRG will relay the vulnerability details, and collaborate on a public disclosure timeline.
  4. After notification, and if none of the involved parties requests another option, ASRG follows a 90-day responsible disclosure and remediation timeline. ASRG’s interest is to grant the affected manufacturer a period of time for fixing the vulnerability and preventing any future damage to public consumers and the manufacturer itself before the information will be publicly announced. Furthermore, an extension of this time period can be provided at the manufacturer’s request, and depending on the severity or complexity of the disclosed vulnerability, ASRG is going to wait for the publication until an effective fix is available.
  5. If the affected manufacturer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, ASRG resends the vulnerability details to the original point of contact of the manufacturer and at least one secondary contact, if a secondary contact is publicly available.
  6. If additional 10 business days elapse with no response from the manufacturer after the second notification (in total 40 business days since the original notification), ASRG resends the vulnerability details not only to the previous two contacts but also to confidential stakeholders like Auto-ISAC.
  7. In case the affected manufacturer does not respond to any of the three notification attempts within additional 10 business days following the third notification (in total 50 business days since the original notification), or if the manufacturer indicates they do not wish to coordinate disclosure, ASRG may elect to issue a public advisory with no further collaboration after 90 days publication embargo.
  8. After receiving a statement from the affected manufacturer, ASRG will evaluate it together with the issuer and decide on further steps depending on the response.
  9. ASRG will clarify together with the affected manufacturer and the issuer what is the best way for everyone involved to publish the discovered vulnerability giving full credit to the originator of the issue.
  10. ASRG, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.

The affected manufacturer should acknowledge receiving notifications to ASRG with the following details:

  • first confirmation that the vulnerability information has been received
  • a point of contact responsible for coordinating and tracking information on the provided issue within their company
  • an estimation up to when the completion of the initial investigation will be completed
  • a timeline needed for own investigations
  • provide information updates
  • if needed request the official to extend the time period for fixing before publication

We greatly appreciate the efforts of different kinds of dedicated people to discover security vulnerabilities and share this information in a trustful way. ASRG commits to respect the interest of the isser and can help to solve possible escalation situations.

Add New Product Service

Asset*
Enter the attack surface or impacted asset.
Type*
Weakness*
Add the type of the potential issue you have discovered.
Severity
Title*
A clear and concise title includes the type of vulnerability and the impacted asset.
Description
What is the vulnerability? In clear steps, how do you reproduce it?
Impact*
What security impact can an attacker achieve?
Email*