Vulnerability Disclosure Policy

At Caterpillar, information security is foundational to our strategy. Therefore, we are committed to securing our products, systems and assets.

Caterpillar looks forward to working with the security research community to find potential vulnerabilities and keep our businesses and customers safe. If you believe that you have information about a potential cybersecurity vulnerability related to Caterpillar or our affiliates, please submit it pursuant to this policy.

Thank you in advance for your submission. We appreciate the security research community assisting in our security efforts.

Response Targets

We aim to respond to all report submissions containing a new potential vulnerability within five business days and will strive to keep you informed of our progress throughout the process.

Disclosure Policy Guidelines:

• Notify us as soon as possible after you discover a real or potential security issue.
• Follow HackerOne's disclosure guidelines (https://www.hackerone.com/disclosure-guidelines).
• In return for our consideration of your submission, you:
  • (1) acknowledge such consideration is sufficient;
  • (2) waive any claims related to confidentiality;
  • and (3) grant us a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute any content submitted.
• Provide detailed reports with reproducible steps. Screenshots are welcome. If the report is not detailed enough to reproduce the issue, we may not be able to duplicate or identify the issue and we may close the submission.
• Submit one vulnerability per report. If a new vulnerability requires, or is linked to another vulnerability, please identify the other vulnerability in the submission. Multiple submissions for the same vulnerability (e.g., different domains, same underlying issue) will be treated as duplicate submissions.
• Ask for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy.

Program Rules:

• Please keep automated testing to 100 requests per second. Going above this threshold may result in being removed from the program.
• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express authorization from Caterpillar.
• Social engineering (e.g., phishing, vishing, smishing) is prohibited.
• Only interact with accounts you own or with explicit permission of the account holder.
• Do not cause harm to Caterpillar, our customers or others.
• Do not compromise the privacy or safety of Caterpillar, our customers or others and do not compromise the operation of our services. This includes, without limitation:
  • Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data.
  • Do not alter, save, store, transfer, or otherwise access data, and immediately purge any data that you may have stored locally (e.g., cached) upon reporting the vulnerability to us.
  • Act in good faith to avoid privacy violations, destruction of data and interruption or degradation of our services.
• Do not violate any laws, including any privacy or data security laws.
• Do not conduct research on out-of-scope vulnerabilities.
• Only use exploits to the extent it is both reasonable and necessary to confirm a vulnerability’s presence. * Do not use an exploit to compromise or exfiltrate data, establish persistent command line access or to probe other systems.

Test Plan:

• When signing up for any of Caterpillar's domain, please use your wearehackerone.com alias.

Eligibility:

• You must be 18 years of age or older and of sound mind to submit a vulnerability for consideration. If you are a minor, you must submit through a parent or legal guardian.
• You are an individual security researcher participating in your own individual capacity.
• If you work for a security research organization, that organization permits you to participate in your own individual capacity. You are responsible for reviewing, and abiding by, your employer’s rules for participating in this program.

Researchers who meet any of the following criteria are ineligible for participation:

• A resident of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, Syria, or Crimea; nor a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.

In Scope

• All Caterpillar Inc. applications (web applications, API, iOS and Android mobile apps, etc) including the applications of Caterpillar brands such as Anchor, AsiaTrak, Cat, Cat Financial, Cat Lift Trucks, Cat Reman, Cat Rental Store, FG Wilson, Hindustan, M2M, MWM, MaK, Perkins, Progress Rail, SEM, SPM Oil & Gas, Solar Turbines and Turner Powertrain Systems. The full list of Caterpillar Inc. brands can be located at https://www.caterpillar.com/en/brands.html

Out of Scope Vulnerabilities

Any vulnerabilities requiring physical proximity to a Caterpillar facility, machines, equipment, or other hardware and any software, firmware or other components of such machines, equipment, or hardware (collectively, “Cat Equipment”) are out of scope. Additionally, when reporting vulnerabilities, please consider (1) attack scenario/exploitability and (2) security impact of the vulnerability.

The following issues are also considered out of scope:

• Vulnerabilities requiring social engineering/phishing to exploit. Including, but not limited to:
  • Session Cookie reuse
  • Open redirect vulnerabilities
• Open ports which do not lead directly to a vulnerability
• Distributed Denial of Service Attacks
• Presence of autocomplete attribute on web forms
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a device
• Previously known vulnerable libraries without a working proof of concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute force issues on non-authentication endpoints
• Missing best practices in Content Security Policy
• Missing HttpOnly or secure flags on cookies
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind the latest released stable version)
• Software version disclosure/banner identification issues/descriptive error messages or headers (e.g., stack traces, application or server errors)
• Tabnabbing
• Open redirects - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction

Safe Harbor

Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services. We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflicts with the standard for Good Faith Security Research outlined here. This means that, for activity conducted while this program is active, we: Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and, Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you. You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy. Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.