[{"id":3762221,"new_policy":"# Program Description\nThe security of its vehicles, digital services and accessories is important to Porsche. We therefore prioritize the confidentiality, integrity and availability of our data and systems. Porsche extends this commitment to encompass customers, employees and partners as well. Despite careful development, manufacturing and testing, vulnerabilities may exist in individual cases. We value the work of security researchers in improving the security of our products and digital services and appreciate it when the community reports vulnerabilities that affect our assets. Our commitment lies in collaborating with highly skilled researchers to validate, reproduce and respond to legitimately reported vulnerabilities that are covered by the given initiative’s rules and policies. With the given bug bounty rewards can be received by reporting vulnerabilities that are in scope of the program. Please take note of the program scope outlined in the scope tab of our policy. \nTesting any out-of-scope assets is strictly prohibited and will not be tolerated under any circumstances. Any such actions may lead to immediate disqualification from the program and further consequences. Only vulnerabilities discovered within the scope of the Safe Harbor Agreement qualify for submission and bounty consideration.\n\n# Exclusion of Porsche employees and active contractors/suppliers \n\nWe're excited to continue our commitment to enhancing security through the given bug bounty program. To ensure fairness and transparency, we want to clarify that our valued employees, contractors and suppliers with active procurement orders are not eligible to participate in the program. Additionally, you should not use duplicate HackerOne accounts. Thank you for your understanding and ongoing support in making our systems safer for everyone. \n\n# Response Times\nGenerally, we try to achieve the following response times: \n\n| Type of Response | Business days |\n| ------------- | ------------- |\n| First response (from report submit) | 02 days |\n| Time to triage (from report submit) | 12 days |\n| Time to to bounty approval (from triage) | 30 days |\n\n# Disclosure Policy\n* Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without Porsche AG’s explicit consent. \n* Follow Porsche´s [standard disclosure policy](https://www.porsche.com/international/information-security/).\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# General Rules\n* In case of duplicate submissions, only the first report that was received will be awarded (provided that it can be fully reproduced). \n* Multiple exploits caused by one underlying vulnerability will be awarded one bounty. \n* Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report. \n* Public Zero-day vulnerabilities that have had an official patch for less than 6 weeks will be awarded on a case-by-case basis. \n* Only interact with accounts you own or with the explicit permission of the account holder. \n* Vulnerabilities that are reported on identical systems in different hosted environments (development, production, test) are counted as one vulnerability. \n* After successful triage and subsequent closing of a report, security researchers are kindly asked to check the vulnerability for successful remediation. \n* Excessive or repeated testing of systems outside the permitted scope may be considered misuse of the service and may result in temporary suspension or permanent termination of the user's account.\n\n# Test Plan\n* No test accounts and no credentials will be provided for this program. However, if any application that is found allows for account creation / self-registration that would be considered in scope. In this case, please use your @wearehackerone.com e-mail address.\n* Researchers should add headers to requests such as: \n        “X-HackerOne-Research: [H1 username]”\n\n# Do´s\n* Always submit proof or a PoC regarding the exploitability for your finding. \n* Provide detailed reports with reproducible steps, including the full http requests leading to the exploit. \n* Submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation. \n* Please, only ever target your own account or a test account. \n\n# Dont´s\n* Do not use automated vulnerability scanners on this program. However, targeted use of scanners for specific functionalities, custom scripts \u0026 fuzzing tools are permitted. If using any of these tools, please keep your traffic to six requests per second or less in order not to cause any degradation to Porsche’s services.  \nNote that we already run automated scans against the in-scope targets – so using these tools is likely of minimal utility to researchers. \n* Do not access or make changes to customer accounts. \n* Do not perform social engineering attacks, including phishing. \n* Do not spam. \n* Do not engage in any activity that bombards Porsche services with substantial amounts of requests or large volumes of data. \n* Do not perform any physical attacks or engage in any activity in the physical domain that would cause damage or harm to any property or persons. \n* Do not impact the privacy of third parties. \n* Do not harm anyone. \n* Any lateral movement and post-exploitation past the initial exploitation is forbidden. \n\n# Scope\nFor submissions on assets in scope, please ensure the following requirements are met:\n\n# Browsers\nBrowsers must be up to date (latest released stable version) on the day of submission. Vulnerabilities which require certain plugins are out of scope. \n\nOnly the following browsers are in scope: \n* Chrome \n* Firefox \n* Safari \n* Edge \n* Internet Explorer \n\n\n#Mobile Applications Overview\n\n| Mobile Target | Download |\n| ------------- | ------------- |\n| MyPorsche Mobile Application for iOS: | Can be downloaded [here](https://apps.apple.com/de/app/my-porsche/id1559529059)|\n| MyPorsche Mobile Application for Android:| Can be downloaded [here](https://play.google.com/store/apps/details?id=com.porsche.one)|\n\n\n# The following vulnerabilities and finding types are out of scope:\n* Self-XSS and Similar Issues: Vulnerabilities only possible through self-executed cross-site scripting. \n* Email Spoofing: Including SPF, DKIM, DMARC From: spoofing and visually similar and related issues. \n* CSRF Without Integrity Impact: Cross-site request forgery issues that do not affect account integrity (e.g., login/logout, contact forms, and other publicly accessible forms). \n* Lack of Rate Limiting: Issues based on missing rate limiting.\n* Denial of Service Attacks: Including distributed denial of service (DDoS) and simulated DoS attacks.\n* Request, Port, and Protocol Flooding: Vulnerabilities caused by flooding requests, ports, or protocols.\n* Outdated Operating Systems or Browsers: Issues exploitable only on user devices with old versions of operating systems or browsers. \n* Unpatched CVEs in Third-Party Products: Recent unpatched common vulnerabilities and exposures (CVEs) in third-party products or libraries. \n* CVEs Without Security Impact: CVEs in third-party products or libraries that do not have a security impact. \n* Non-Sensitive API Key Leakage: Such as etherscan, Infura, Alchemy. \n* Human-Related Vulnerabilities: Including phishing and social engineering. \n* Fingerprinting/Banner Disclosure: On common/public services. \n* Man-in-the-Middle Attacks: Attacks requiring man-in-the-middle or physical access to a user's device. \n* Automated Tools/Scans: Reports from automated tools or scans without proof of a unique, valid security threat.\n* Content Spoofing/Text Injection: Without showing an attack vector or the ability to modify HTML/CSS. \n* Brute Force Attacks: Issues based on brute force attacks. \n* Password and Account Recovery Policies: Such as reset link expiration or password complexity. \n* Outdated/Unpatched Browsers and Platforms: Vulnerabilities affecting users of outdated or unpatched browsers and platforms. \n* Speculative Reports: Theoretical damage without proof of concept. \n* Physical or Social Engineering Attempts: Including phishing attacks against employees. \n* Open Ports/Services: Without proof of concept demonstrating a vulnerability. \n* Criminal Information Gathering: Vulnerabilities relying on payed or stolen information (e.g. credentials). \n* Physical Access to Devices, Products \n* Clickjacking: On pages without sensitive actions. \n\n\n# Out of Scope for iOS apps:\n* Absence of certificate pinning.\n* Lack of jailbreak detection.\n* Runtime hacking exploits (exploits only possible in a jailbroken environment).\n\n\n# Out of Scope for Android apps:\n*\tAbsence of certificate pinning.\n\n\n\n# The following vulnerabilities and finding types are currently not eligible for rewards, except if a concrete impact is demonstrated\n* Internal IP Address Disclosure: Disclosure of internal IP addresses.\n* Theoretical Vulnerabilities and Third-Party Libraries: Vulnerabilities of third-party libraries without showing specific impact (e.g. CVE with no exploit).\n*\tInformation Leaks Without Direct Security Impact: Such as detailed server configuration, metrics/health endpoints, debug pages, descriptive error messages, stack traces, application or server errors, path disclosure.\n*\tWeak Captcha Bypass: Using OCR without impact demonstration.\n*\tReflected Plain Text Injection: Such as URL parameters, path.\n        1. This does not exclude reflected HTML injection with or without JavaScript.\n        2. This does not exclude persistent plain text injection.\n*\tMissing Security Best Practices: Such as missing CORS and HTTPS security headers without impact, lack of SSL/TLS best practices, and similar issues.\n* Username/Email Enumeration:\n        1. Via login page error message.\n        2. Via forgot password error message.\n* Forgot Password Page Brute Force and Account Lockout Not Enforced: Issues related to brute force attacks on the forgot password page and lack of account lockout enforcement.\n* HTTPS Mixed Content Scripts: Issues related to mixed content scripts over HTTPS.\n\n\n\n# Safe Harbor\nAny activities of a researcher in compliance with this Bug Bounty program and policy on in-scope assets will be considered as authorized by Porsche and we will not take any legal action against the researcher. If third parties initiate legal actions against the researcher based on those activities, the researcher may reference this Bug Bounty program and policy. We explicitly reject criminal activity in any form. \nAdditionally, the following safe harbor guidelines apply: \n* We utilize code written, products produced and services provided by third parties. They belong to their respective owners. We can’t grant you permission to reverse engineer any of that code or access any of that data. \n* Comply with all applicable laws, regulations and other statutory provisions. \n* Participation in this program is not permitted for persons on sanctions lists. \n* We promise not to initiate any criminal proceedings against you as long as you have adhered to the policy and principles. However, this does not apply if there have been or are discernible criminal intentions. \n* If applicable, you are expected to comply with the AWS and Azure policies \u0026 rules of engagement for penetration testing:  \n        1. [Penetration Testing - Amazon Web Services (AWS)](https://aws.amazon.com/de/security/penetration-testing/)\n        2. [Microsoft Cloud Penetration Testing Rules of Engagement](https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement)\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via HackerOnes´s approved communication channels before going any further. \n\nThank you for helping keep Porsche and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-03T07:37:48.896Z"},{"id":3761287,"new_policy":"# Program Description\nThe security of its vehicles, digital services and accessories is important to Porsche. We therefore prioritize the confidentiality, integrity and availability of our data and systems. Porsche extends this commitment to encompass customers, employees and partners as well. Despite careful development, manufacturing and testing, vulnerabilities may exist in individual cases. We value the work of security researchers in improving the security of our products and digital services and appreciate it when the community reports vulnerabilities that affect our assets. Our commitment lies in collaborating with highly skilled researchers to validate, reproduce and respond to legitimately reported vulnerabilities that are covered by the given initiative’s rules and policies. With the given bug bounty rewards can be received by reporting vulnerabilities that are in scope of the program. Please take note of the program scope outlined in the scope tab of our policy. \nTesting any out-of-scope assets is strictly prohibited and will not be tolerated under any circumstances. Any such actions may lead to immediate disqualification from the program and further consequences. Only vulnerabilities discovered within the scope of the Safe Harbor Agreement qualify for submission and bounty consideration.\n\n# Exclusion of Porsche employees and active contractors/suppliers \n\nWe're excited to continue our commitment to enhancing security through the given bug bounty program. To ensure fairness and transparency, we want to clarify that our valued employees, contractors and suppliers with active procurement orders are not eligible to participate in the program. Additionally, you should not use duplicate HackerOne accounts. Thank you for your understanding and ongoing support in making our systems safer for everyone. \n\n# Response Times\nGenerally, we try to achieve the following response times: \n\n| Type of Response | Business days |\n| ------------- | ------------- |\n| First response (from report submit) | 02 days |\n| Time to triage (from report submit) | 12 days |\n| Time to to bounty approval (from triage) | 30 days |\n\n# Disclosure Policy\n* Do not disclose details of this program or vulnerabilities (even resolved ones) to the public or any third party without Porsche AG’s explicit consent. \n* Follow Porsche´s [standard disclosure policy](https://www.porsche.com/international/information-security/).\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# General Rules\n* In case of duplicate submissions, only the first report that was received will be awarded (provided that it can be fully reproduced). \n* Multiple exploits caused by one underlying vulnerability will be awarded one bounty. \n* Some sites might rely on shared resources or assets. If we identify this issue, we will only award a bounty for the first report. \n* Public Zero-day vulnerabilities that have had an official patch for less than 6 weeks will be awarded on a case-by-case basis. \n* Only interact with accounts you own or with the explicit permission of the account holder. \n* Vulnerabilities that are reported on identical systems in different hosted environments (development, production, test) are counted as one vulnerability. \n* After successful triage and subsequent closing of a report, security researchers are kindly asked to check the vulnerability for successful remediation. \n\n# Test Plan\n* No test accounts and no credentials will be provided for this program. However, if any application that is found allows for account creation / self-registration that would be considered in scope. In this case, please use your @wearehackerone.com e-mail address.\n* Researchers should add headers to requests such as: \n        “X-HackerOne-Research: [H1 username]”\n\n# Do´s\n* Always submit proof or a PoC regarding the exploitability for your finding. \n* Provide detailed reports with reproducible steps, including the full http requests leading to the exploit. \n* Submit one vulnerability per report, unless you need to chain the vulnerabilities for successful exploitation. \n* Please, only ever target your own account or a test account. \n\n# Dont´s\n* Do not use automated vulnerability scanners on this program. However, targeted use of scanners for specific functionalities, custom scripts \u0026 fuzzing tools are permitted. If using any of these tools, please keep your traffic to six requests per second or less in order not to cause any degradation to Porsche’s services.  \nNote that we already run automated scans against the in-scope targets – so using these tools is likely of minimal utility to researchers. \n* Do not access or make changes to customer accounts. \n* Do not perform social engineering attacks, including phishing. \n* Do not spam. \n* Do not engage in any activity that bombards Porsche services with substantial amounts of requests or large volumes of data. \n* Do not perform any physical attacks or engage in any activity in the physical domain that would cause damage or harm to any property or persons. \n* Do not impact the privacy of third parties. \n* Do not harm anyone. \n* Any lateral movement and post-exploitation past the initial exploitation is forbidden. \n\n# Scope\nFor submissions on assets in scope, please ensure the following requirements are met:\n\n# Browsers\nBrowsers must be up to date (latest released stable version) on the day of submission. Vulnerabilities which require certain plugins are out of scope. \n\nOnly the following browsers are in scope: \n* Chrome \n* Firefox \n* Safari \n* Edge \n* Internet Explorer \n\n\n#Mobile Applications Overview\n\n| Mobile Target | Download |\n| ------------- | ------------- |\n| MyPorsche Mobile Application for iOS: | Can be downloaded [here](https://apps.apple.com/de/app/my-porsche/id1559529059)|\n| MyPorsche Mobile Application for Android:| Can be downloaded [here](https://play.google.com/store/apps/details?id=com.porsche.one)|\n\n\n# The following vulnerabilities and finding types are out of scope:\n* Self-XSS and Similar Issues: Vulnerabilities only possible through self-executed cross-site scripting. \n* Email Spoofing: Including SPF, DKIM, DMARC From: spoofing and visually similar and related issues. \n* CSRF Without Integrity Impact: Cross-site request forgery issues that do not affect account integrity (e.g., login/logout, contact forms, and other publicly accessible forms). \n* Lack of Rate Limiting: Issues based on missing rate limiting.\n* Denial of Service Attacks: Including distributed denial of service (DDoS) and simulated DoS attacks.\n* Request, Port, and Protocol Flooding: Vulnerabilities caused by flooding requests, ports, or protocols.\n* Outdated Operating Systems or Browsers: Issues exploitable only on user devices with old versions of operating systems or browsers. \n* Unpatched CVEs in Third-Party Products: Recent unpatched common vulnerabilities and exposures (CVEs) in third-party products or libraries. \n* CVEs Without Security Impact: CVEs in third-party products or libraries that do not have a security impact. \n* Non-Sensitive API Key Leakage: Such as etherscan, Infura, Alchemy. \n* Human-Related Vulnerabilities: Including phishing and social engineering. \n* Fingerprinting/Banner Disclosure: On common/public services. \n* Man-in-the-Middle Attacks: Attacks requiring man-in-the-middle or physical access to a user's device. \n* Automated Tools/Scans: Reports from automated tools or scans without proof of a unique, valid security threat.\n* Content Spoofing/Text Injection: Without showing an attack vector or the ability to modify HTML/CSS. \n* Brute Force Attacks: Issues based on brute force attacks. \n* Password and Account Recovery Policies: Such as reset link expiration or password complexity. \n* Outdated/Unpatched Browsers and Platforms: Vulnerabilities affecting users of outdated or unpatched browsers and platforms. \n* Speculative Reports: Theoretical damage without proof of concept. \n* Physical or Social Engineering Attempts: Including phishing attacks against employees. \n* Open Ports/Services: Without proof of concept demonstrating a vulnerability. \n* Criminal Information Gathering: Vulnerabilities relying on payed or stolen information (e.g. credentials). \n* Physical Access to Devices, Products \n* Clickjacking: On pages without sensitive actions. \n\n\n# Out of Scope for iOS apps:\n* Absence of certificate pinning.\n* Lack of jailbreak detection.\n* Runtime hacking exploits (exploits only possible in a jailbroken environment).\n\n\n# Out of Scope for Android apps:\n*\tAbsence of certificate pinning.\n\n\n\n# The following vulnerabilities and finding types are currently not eligible for rewards, except if a concrete impact is demonstrated\n* Internal IP Address Disclosure: Disclosure of internal IP addresses.\n* Theoretical Vulnerabilities and Third-Party Libraries: Vulnerabilities of third-party libraries without showing specific impact (e.g. CVE with no exploit).\n*\tInformation Leaks Without Direct Security Impact: Such as detailed server configuration, metrics/health endpoints, debug pages, descriptive error messages, stack traces, application or server errors, path disclosure.\n*\tWeak Captcha Bypass: Using OCR without impact demonstration.\n*\tReflected Plain Text Injection: Such as URL parameters, path.\n        1. This does not exclude reflected HTML injection with or without JavaScript.\n        2. This does not exclude persistent plain text injection.\n*\tMissing Security Best Practices: Such as missing CORS and HTTPS security headers without impact, lack of SSL/TLS best practices, and similar issues.\n* Username/Email Enumeration:\n        1. Via login page error message.\n        2. Via forgot password error message.\n* Forgot Password Page Brute Force and Account Lockout Not Enforced: Issues related to brute force attacks on the forgot password page and lack of account lockout enforcement.\n* HTTPS Mixed Content Scripts: Issues related to mixed content scripts over HTTPS.\n\n\n\n# Safe Harbor\nAny activities of a researcher in compliance with this Bug Bounty program and policy on in-scope assets will be considered as authorized by Porsche and we will not take any legal action against the researcher. If third parties initiate legal actions against the researcher based on those activities, the researcher may reference this Bug Bounty program and policy. We explicitly reject criminal activity in any form. \nAdditionally, the following safe harbor guidelines apply: \n* We utilize code written, products produced and services provided by third parties. They belong to their respective owners. We can’t grant you permission to reverse engineer any of that code or access any of that data. \n* Comply with all applicable laws, regulations and other statutory provisions. \n* Participation in this program is not permitted for persons on sanctions lists. \n* We promise not to initiate any criminal proceedings against you as long as you have adhered to the policy and principles. However, this does not apply if there have been or are discernible criminal intentions. \n* If applicable, you are expected to comply with the AWS and Azure policies \u0026 rules of engagement for penetration testing:  \n        1. [Penetration Testing - Amazon Web Services (AWS)](https://aws.amazon.com/de/security/penetration-testing/)\n        2. [Microsoft Cloud Penetration Testing Rules of Engagement](https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement)\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via HackerOnes´s approved communication channels before going any further. \n\nThank you for helping keep Porsche and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-18T06:57:45.269Z"}]