[{"id":3769400,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n- Provide detailed reports with reproducible steps. Screenshots are welcome.\n- Do not cause harm to John Deere, our customers, or others.\n- Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically;\n   - Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data:\n   - Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us\n   - Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services\n   - Do not violate any laws, including all privacy and data security laws. \n   - Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure\n   - Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n   - Do not participate in this program if you are:\n      - A member of a foreign terrorist organization as designated by the U.S. Department of State;\n      - A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”)\n      - Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of Commerce\n      - We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process\n\n## Using Credentials found in Breached Data\n- The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, including John Deere machines, equipment or hardware (collectively “Equipment”), as well as any software, firmware or other component of John Deere equipment\n\n## Tracking\nTo help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly owned subsidiaries. Examples of digital applications, products and services that are in scope can be found the \"Scope\" tab of the policy page.\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Rate Limiting Vulnerabilities\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n* Cache Poisoning Vulnerabilities relating to cloudfront (CDN).\n\n#### Dangling IP Vulnerabilities\n\n- **Accepted:** Dangling IP vulnerabilities are **in scope** only if you can demonstrate a clear and reproducible security impact, such as a subdomain takeover or the ability for an attacker to claim the IP address and serve malicious content to users or systems. Reports must include evidence of a practical exploit, not just the existence of an unassigned or unallocated IP. **Simply showing that an IP address is no longer listed as owned by John Deere is not sufficient evidence of impact.**\n- **Not Accepted:** Reports of unassigned, unallocated, or \"dangling\" IP addresses that do not result in a proven security risk (e.g., no subdomain takeover, no ability to intercept or serve traffic) are **out of scope**. Merely identifying a released or unassociated IP address is not sufficient for a valid report.\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-09T14:02:17.801Z"},{"id":3758439,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\n* The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly owned subsidiaries. Examples of digital applications, products and services that are in scope can be found the \"Scope\" tab of the policy page.\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Rate Limiting Vulnerabilities\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n* Cache Poisoning Vulnerabilities relating to cloudfront (CDN).\n\n#### Dangling IP Vulnerabilities\n\n- **Accepted:** Dangling IP vulnerabilities are **in scope** only if you can demonstrate a clear and reproducible security impact, such as a subdomain takeover or the ability for an attacker to claim the IP address and serve malicious content to users or systems. Reports must include evidence of a practical exploit, not just the existence of an unassigned or unallocated IP. **Simply showing that an IP address is no longer listed as owned by John Deere is not sufficient evidence of impact.**\n- **Not Accepted:** Reports of unassigned, unallocated, or \"dangling\" IP addresses that do not result in a proven security risk (e.g., no subdomain takeover, no ability to intercept or serve traffic) are **out of scope**. Merely identifying a released or unassociated IP address is not sufficient for a valid report.\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-02T14:41:10.522Z"},{"id":3756948,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\n* The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly owned subsidiaries. Examples of digital applications, products and services that are in scope can be found the \"Scope\" tab of the policy page.\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Rate Limiting Vulnerabilities\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n#### Cache Poisoning Vulnerabilities\n\n- **Accepted:** Cache poisoning vulnerabilities are **in scope** only if they can be reliably exploited in a browser context to affect the **availability** of content or services for other users. The impact must be consistent and reproducible.\n- **Not Accepted:** Cache poisoning issues that do not affect availability, cannot be exploited in a browser, or are not reliably reproducible are **out of scope**.\n\n#### Dangling IP Vulnerabilities\n\n- **Accepted:** Dangling IP vulnerabilities are **in scope** only if you can demonstrate a clear and reproducible security impact, such as a subdomain takeover or the ability for an attacker to claim the IP address and serve malicious content to users or systems. Reports must include evidence of a practical exploit, not just the existence of an unassigned or unallocated IP. **Simply showing that an IP address is no longer listed as owned by John Deere is not sufficient evidence of impact.**\n- **Not Accepted:** Reports of unassigned, unallocated, or \"dangling\" IP addresses that do not result in a proven security risk (e.g., no subdomain takeover, no ability to intercept or serve traffic) are **out of scope**. Merely identifying a released or unassociated IP address is not sufficient for a valid report.\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-05T14:59:22.372Z"},{"id":3756072,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\n* The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly owned subsidiaries. Examples of digital applications, products and services that are in scope can be found the \"Scope\" tab of the policy page.\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Rate Limiting Vulnerabilities\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n#### Cache Poisoning Vulnerabilities\n\n- **Accepted:** Cache poisoning vulnerabilities are **in scope** only if they can be reliably exploited in a browser context to affect the **availability** of content or services for other users. The impact must be consistent and reproducible.\n- **Not Accepted:** Cache poisoning issues that do not affect availability, cannot be exploited in a browser, or are not reliably reproducible are **out of scope**.\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-21T23:02:06.782Z"},{"id":3742219,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\n* The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly owned subsidiaries. Examples of digital applications, products and services that are in scope can be found the \"Scope\" tab of the policy page.\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-16T20:28:25.413Z"},{"id":3739440,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\n* The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-16T19:04:37.160Z"},{"id":3736397,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\n* The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.\n  \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-16T12:35:58.992Z"},{"id":3734012,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\nSubmit credentials before validating credentials that have been found in the following list which includes, but is not limited to:\n- Data breaches\n- Github repositories\n- Certain logging sites\n- etc..\n\nIt is strictly prohibited to use any credentials found in breach data on the aforementioned list, on applications without prior approval from the Deere Team.\n\nAny credentials found in breach data on the aforementioned list must be immediately reported to the Deere Team (DO NOT TEST BEFORE REPORTING) via the HackerOne Portal.\n\nValidating credentials will be considered testing the platform. If the credentials are found to be valid by the Deere Team, immediate steps will be taken to secure the affected account and impact analysis will be reflected in the ticket. \n\n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-25T16:20:22.482Z"},{"id":3719790,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\nSubmit credentials before validating credentials that have been found in the following list which includes, but is not limited to:\n- Data breaches\n- Github repositories\n- Certain logging sites\n- etc..\n\nIt is strictly prohibited to use any credentials found in breach data on the aforementioned list, on applications without prior approval from the Deere Team.\n\nAny credentials found in breach data on the aforementioned list must be immediately reported to the Deere Team (DO NOT TEST BEFORE REPORTING) via the HackerOne Portal.\n\nValidating credentials will be considered testing the platform. If the credentials are found to be valid by the Deere Team, immediate steps will be taken to secure the affected account and impact analysis will be reflected in the ticket. \n\n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n3. To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-20T13:23:51.427Z"},{"id":3709535,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\nSubmit credentials before validating credentials that have been found in the following list which includes, but is not limited to:\n- Data breaches\n- Github repositories\n- Certain logging sites\n- etc..\n\nIt is strictly prohibited to use any credentials found in breach data on the aforementioned list, on applications without prior approval from the Deere Team.\n\nAny credentials found in breach data on the aforementioned list must be immediately reported to the Deere Team (DO NOT TEST BEFORE REPORTING) via the HackerOne Portal.\n\nValidating credentials will be considered testing the platform. If the credentials are found to be valid by the Deere Team, immediate steps will be taken to secure the affected account and impact analysis will be reflected in the ticket. \n\n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:\n* The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.\n* The unintended actions can be executed within the context of that specific entity only.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-19T13:44:41.049Z"},{"id":3705954,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\nSubmit credentials before validating credentials that have been found in the following list which includes, but is not limited to:\n- Data breaches\n- Github repositories\n- Certain logging sites\n- etc..\n\nIt is strictly prohibited to use any credentials found in breach data on the aforementioned list, on applications without prior approval from the Deere Team.\n\nAny credentials found in breach data on the aforementioned list must be immediately reported to the Deere Team (DO NOT TEST BEFORE REPORTING) via the HackerOne Portal.\n\nValidating credentials will be considered testing the platform. If the credentials are found to be valid by the Deere Team, immediate steps will be taken to secure the affected account and impact analysis will be reflected in the ticket. \n\n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Exposed Okta Client_ID's/Secret's\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-26T20:39:25.661Z"},{"id":3705561,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\nSubmit credentials before validating credentials that have been found in the following list which includes, but is not limited to:\n- Data breaches\n- Github repositories\n- Certain logging sites\n- etc..\n\nIt is strictly prohibited to use any credentials found in breach data on the aforementioned list, on applications without prior approval from the Deere Team.\n\nAny credentials found in breach data on the aforementioned list must be immediately reported to the Deere Team (DO NOT TEST BEFORE REPORTING) via the HackerOne Portal.\n\nValidating credentials will be considered testing the platform. If the credentials are found to be valid by the Deere Team, immediate steps will be taken to secure the affected account and impact analysis will be reflected in the ticket. \n\n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n## Account Registration\nWhen registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-20T19:17:48.042Z"},{"id":3683042,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n\n## Using Credentials found in Breached Data\nSubmit credentials before validating credentials that have been found in the following list which includes, but is not limited to:\n- Data breaches\n- Github repositories\n- Certain logging sites\n- etc..\n\nIt is strictly prohibited to use any credentials found in breach data on the aforementioned list, on applications without prior approval from the Deere Team.\n\nAny credentials found in breach data on the aforementioned list must be immediately reported to the Deere Team (DO NOT TEST BEFORE REPORTING) via the HackerOne Portal.\n\nValidating credentials will be considered testing the platform. If the credentials are found to be valid by the Deere Team, immediate steps will be taken to secure the affected account and impact analysis will be reflected in the ticket. \n\n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-06T15:42:19.163Z"},{"id":3679323,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-01T19:51:08.304Z"},{"id":3676165,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n16. *jdisonsite.com\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-16T16:08:31.941Z"},{"id":3674516,"new_policy":"# Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \n## Disclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n## Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n## Program Scope\nAny John Deere digital application, product or service, but excluding: \n1. Any John Deere machine, equipment or other hardware (collectively “Equipment”)\n2.  Any software, firmware or other component of John Deere Equipment. \n\nFor the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11. https://apps.apple.com/us/app/myoperations/id1104383066\n12. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13. https://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n\n## Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n### The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And  (2) Any software, firmware or other component of John Deere Equipment.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-15T20:27:23.536Z"},{"id":3674513,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \nDisclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n#Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n#Program Scope\nAny John Deere digital application, product or service, but excluding: (1) Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment. For the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. *johndeere.com\n2. *deere.com     \n3.\t*wirtgen-group.com\n4.\t*bluerivertechnology.com\n5.\t*bearflagrobotics.com\n6.\t*.jdisonline.com\n7. *agrisync.com\n8. *johndeerecloud.com\n9. *starfirenetwork.com\n10. *johndeeretechinfo.com\n11.\thttps://apps.apple.com/us/app/myoperations/id1104383066\n12.\thttps://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US\n13.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477\n14. https://apps.apple.com/us/app/john-deere-connect-mobile/id958749681\n15. https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US\n\n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-15T20:07:41.383Z"},{"id":3661041,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \nDisclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n#Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n#Program Scope\nAny John Deere digital application, product or service, but excluding: (1) Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment. For the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*     \n3.\thttp(s)://wirtgen-group.com\n4.\thttp(s)://bluerivertechnology.com\n5.\thttp(s)://bearflagrobotics.com\n6.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP)\n7.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n8.\thttps://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n9.\thttps://developer.deere.com\n10.\thttps://jdlink.deere.com - JDLink\n11.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App)\n12.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n13.\thttps://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not \n    limited to:\n     * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n     * Session Cookie Reuse\n     * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-03T15:39:54.854Z"},{"id":3661040,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \nDisclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our \n     services. Specifically;\n     o\t  Avoid access to data related to individuals and contact us immediately if you inadvertently encounter \n          such data;\n     o\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data \n            upon reporting the vulnerability to us;\n     o\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our \n            services.\n       o  Do not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\n      o\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\n      o\tA resident of or located in a country against which the United States has trade restrictions or export \n            sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n      o\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department \n            of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n#Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n#Program Scope\nAny John Deere digital application, product or service, but excluding: (1) Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment. For the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*     \n3.\thttp(s)://wirtgen-group.com\n4.\thttp(s)://bluerivertechnology.com\n5.\thttp(s)://bearflagrobotics.com\n6.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP)\n7.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n8.\thttps://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n9.\thttps://developer.deere.com\n10.\thttps://jdlink.deere.com - JDLink\n11.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App)\n12.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n13.\thttps://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-03T15:39:06.306Z"},{"id":3660560,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.\n \nDisclosure Policy Guidelines\n•\tProvide detailed reports with reproducible steps. Screenshots are welcome.\n•\tDo not cause harm to John Deere, our customers, or others.\n•\tDo not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically;\no\tAvoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\no\tDo not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\no\tAct in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n•\tDo not violate any laws, including all privacy and data security laws. \n•\tDo not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n•\tOnly conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n•\tDo not participate in this program if you are:\no\tA member of a foreign terrorist organization as designated by the U.S. Department of State;\no\tA resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\no\tIncluded on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of Commerce\n•\tWe aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n#Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n#Program Scope\nAny John Deere digital application, product or service, but excluding: (1) Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment. For the purposes of Program Scope, “John Deere” includes Deere \u0026 Company and each of its wholly-owned subsidiaries.  Examples of digital applications, products and services that are in scope include:\n\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*     \n3.\thttp(s)://wirtgen-group.com\n4.\thttp(s)://bluerivertechnology.com\n5.\thttp(s)://bearflagrobotics.com\n6.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP)\n7.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n8.\thttps://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n9.\thttps://developer.deere.com\n10.\thttps://jdlink.deere.com - JDLink\n11.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App)\n12.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n13.\thttps://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-10-26T15:20:12.635Z"},{"id":3658929,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment.\n\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*     \n3. https://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n4.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n5. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n6.\thttps://developer.deere.com\n7.\thttps://jdlink.deere.com - JDLink\n8.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n9.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n10.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T18:22:48.904Z"},{"id":3658922,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\nAny John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment.\n\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*\n3\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n4.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n5. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n6.\thttps://developer.deere.com\n7.\thttps://jdlink.deere.com - JDLink\n8.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n9.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n10.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:26:47.074Z"},{"id":3658921,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*\n3\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n4.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n5. https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n6.\thttps://developer.deere.com\n7.\thttps://jdlink.deere.com - JDLink\n8.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n9.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n10.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:21:16.455Z"},{"id":3658920,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n1. http(s)://*johndeere.com*\n2. http(s)://*deere.com*\n3\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n4.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n5.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n6.\thttps://developer.deere.com\n7.\thttps://jdlink.deere.com - JDLink\n8.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n9.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n10.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:20:57.126Z"},{"id":3658919,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\nhttp(s)://*deere.com*\nhttp(s)://*johndeere.com*\n5.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n13.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n14.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n14.\thttps://developer.deere.com\n15.\thttps://jdlink.deere.com - JDLink\n16.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n17.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n18.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:15:54.374Z"},{"id":3658917,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n1. http(s)://*johndeere.com*\n5.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n13.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n14.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n14.\thttps://developer.deere.com\n15.\thttps://jdlink.deere.com - JDLink\n16.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n17.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n18.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:15:01.321Z"},{"id":3658916,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n5.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n13.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n14.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n14.\thttps://developer.deere.com\n15.\thttps://jdlink.deere.com - JDLink\n16.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n17.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n18.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:10:58.103Z"},{"id":3658915,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n5.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n6.\thttps://myjohndeere.deere.com - MyJohnDeere \n7.\thttps://jdquote2.deere.com - JD Quote \n8.\thttp://mint.deere.com/jdmint/main - JDMint \n9.\thttps://jdwarrantysystem.deere.com/ - Warranty \n10.\thttps://ccms.deere.com/ - CCMS \n11.\thttps://salescenter.deere.com/ - Sales Center \n12.\thttps://my.deere.com - Operations Center\n13.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n14.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n14.\thttps://developer.deere.com\n15.\thttps://jdlink.deere.com - JDLink\n16.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n17.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n18.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n19.\thttps://MyFinancialAccounts.deere.com\n20.\thttps://oca.deere.com\n21.\thttps://payload.deere.com\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:10:23.835Z"},{"id":3658914,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n5.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n13.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n14.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n14.\thttps://developer.deere.com\n15.\thttps://jdlink.deere.com - JDLink\n16.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n17.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n18.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment \n\n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-27T17:08:57.763Z"},{"id":3655974,"new_policy":"#Responsible Disclosure Policy\n \nJohn Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.\n \nWe encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. **Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.**\n \n##Disclosure Policy Guidelines\n* Provide detailed reports with reproducible steps. Screenshots are welcome.\n* Do not cause harm to John Deere, our customers, or others.\n* Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically:\n   * Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;\n   * Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;\n   * Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.\n* Do not violate any laws, including all privacy and data security laws. \n* Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.\n* Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.\n* Do not participate in this program if you are:\n   * A member of a foreign terrorist organization as designated by the U.S. Department of State;\n   * A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”); or\n   * Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of \nCommerce\n* We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.\n \n##Safe Harbor\nWe agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program.  In the event of a conflict between this policy and any HackerOne policy, this policy applies.\n \n##Program Scope\n1.\thttps://www.johndeere.com\n2.\thttps://deere.com\n3.\thttp://serviceadvisor.deere.com/WebSA/home - Service ADVISOR Online \n4.\thttps://partsadvisor.deere.com/ - Parts ADVISOR \n5.\thttps://jdoapps.jdisonline.com - JDO Portal (EQUIP) \n6.\thttps://myjohndeere.deere.com - MyJohnDeere \n7.\thttps://jdquote2.deere.com - JD Quote \n8.\thttp://mint.deere.com/jdmint/main - JDMint \n9.\thttps://jdwarrantysystem.deere.com/ - Warranty \n10.\thttps://ccms.deere.com/ - CCMS \n11.\thttps://salescenter.deere.com/ - Sales Center \n12.\thttps://my.deere.com - Operations Center\n13.\thttps://apps.apple.com/us/app/myoperations/id1104383066 - MyOperations (Apple App)\n14.   https://play.google.com/store/apps/details?id=com.deere.myoperations\u0026hl=en_US -MyOperations (Android App)\n14.\thttps://developer.deere.com\n15.\thttps://jdlink.deere.com - JDLink\n16.\thttps://apps.apple.com/us/app/equipmentplus/id1498206477 - Connected Mobile (Apple App) \n17.\thttps://apps.apple.com/us/app/john-deere-connect-mobile/id958749681 - Equipment Plus (Apple App)\n18.    https://play.google.com/store/apps/details?id=com.deere.equipmentplus\u0026hl=en_US\u0026gl=US - Equipment Plus (Android App)\n19.\thttps://MyFinancialAccounts.deere.com\n20.\thttps://oca.deere.com\n21.\thttps://payload.deere.com\n  \n##Out of Scope Vulnerabilities\nWhen reporting vulnerabilities, please consider:\n1. attack scenario/exploitability\n2. security impact of the bug. \n\n###The following issues are considered out of scope:\n \n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n * Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:\n   * Self\\Client\\Reflective XSS ( **Exception: Stored XSS vulnerabilities**)\n   * Session Cookie Reuse\n   * Open redirect vulnerabilities\n* Open ports which do not lead directly to a vulnerability\n* Reports from automated tools or scans without a working Proof of Concept\n* Physical Penetration Testing\n* Denial of Service Attacks\n* Non Deere hosted websites\n* Presence of autocomplete attribute on web forms\n* John Deere machines or equipment\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-02T13:44:47.439Z"}]