Brand Promise

We at Daimler Truck take security vulnerabilities and privacy issues very seriously and we are committed to building and maintaining an effective partnership with the cybersecurity community. We value your contributions and welcome any information that could lead to the identification and remediation of a security issue in Daimler Trucks services and products. We will investigate all legitimate reports and do our best to quickly fix the issue.

Daimler Truck looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Safety Note

Safety first! Don't do anything that could cause harm to yourself or others. Keep in mind that a vehicle has several systems such as airbags that could cause serious injury when misused. Use special caution when interacting with safety-critical devices such as brake systems, steering components, the engine or high voltage components like the vehicle battery. If in doubt, let it be.

If you work on a vehicle, don't try anything that could interfere with road safety and don't experiment on public roads. Only perform testing in a safe place with a stationary vehicle.

Response Targets

Daimler Truck will make a best effort to meet the following SLAs for hackers participating in our program:

Note: If you found a flaw in our vehicles, please note that fixing a bug in a vehicle is a substantially different process than fixing a bug in classic IT systems. Vehicle software needs to meet high safety and regulatory requirements, therefore fixing a bug takes significantly more time. We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We will try to work out a disclosure timeline with you.
• Follow HackerOne's disclosure guidelines.
• Please be aware that other than standard IT systems, we cannot mandate installation of an update as the vehicles belong to our customers and are not under our control. Therefore, it can take a long time after a patch is released before a significant part of vehicles on the road are patched.

Qualifying Vulnerabilities

OWASP Top 10

Vehicles

• OWASP Embedded Application Security Top 10
• Remote Code Execution
• Sensitive Data Exposure
• Broken Authentication
• Compromise of update mechanisms, e.g. Flashing an ECU with arbitrary firmware
• Remote sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray, etc.) Unlocking vehicle functions

Out of Scope Vulnerabilities

• Dealership Websites - Some dealerships use a subdomain of daimlertruck.com to host their websites. Nevertheless, Daimler Truck is not in control of these sites. Please contact the appropriate dealership in these cases.
• Any activity that could lead to the disruption of our service (DoS/ DDoS).
• Brute force attacks and social engineering.
• Physical destruction of locks / anti-theft mechanisms, etc.
• Gaining access to the vehicle by physical destruction.
• DoS of ECUs or Bus Systems through Flooding.

Third Party Bugs

If you find a flaw in an application written by a third-party we will try to contact them and forward your findings to them in an anonymized form. In this case, we will ask you if you want your contact details to be sent to the third-party so that they can further discuss that topic with you.

Low Severity Findings

Please note that whilst we want to consider all valid submissions to our program, it will take us time to fix low impact findings.

Legal Points and Safe Harbor

Always obey your local laws!

If you work on a product or vehicle, use only a vehicle that you own or have the owner’s permission to work on. Do not modify or copy data that doesn't belong to you. We explicitly reject criminal activity in any form.

We utilize code written by third-parties. Those code parts belong to their respective owners. We can’t grant you permission to reverse engineer any of that code.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Daimler Truck and our users safe!