Responsible Disclosure Policy

John Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.

We encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.

Disclosure Policy Guidelines

• Provide detailed reports with reproducible steps. Screenshots are welcome.
• Do not cause harm to John Deere, our customers, or others.
• Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically;
  • Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data:
  • Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Do not violate any laws, including all privacy and data security laws.
  • Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure
  • Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.
  • Do not participate in this program if you are:
    • A member of a foreign terrorist organization as designated by the U.S. Department of State;
    • A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (“OFAC”)
    • Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of Commerce
    • We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process

Using Credentials found in Breached Data

• The submission of breached credentials is currently out of scope as we develop and implement internal processes to mitigate exposure.

Safe Harbor

We agree to not pursue civil action against researchers who comply with John Deere’s and HackerOne’s policies regarding this vulnerability disclosure program. In the event of a conflict between this policy and any HackerOne policy, this policy applies.

Program Scope

Any John Deere digital application, product or service, including John Deere machines, equipment or hardware (collectively “Equipment”), as well as any software, firmware or other component of John Deere equipment

Tracking

To help us identify you as a HackerOne researcher, please include a custom User-Agent in your request headers: 'hackerone-{your username}'.

For the purposes of Program Scope, “John Deere” includes Deere & Company and each of its wholly owned subsidiaries. Examples of digital applications, products and services that are in scope can be found the "Scope" tab of the policy page.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider:

1. attack scenario/exploitability
2. security impact of the bug.

The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Rate Limiting Vulnerabilities
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Any vulnerability requiring Social Engineering or Phishing to exploit are out of scope. Including, but not limited to:
  • Self\Client\Reflective XSS ( Exception: Stored XSS vulnerabilities)
  • Session Cookie Reuse
  • Open redirect vulnerabilities
• Open ports which do not lead directly to a vulnerability
• Reports from automated tools or scans without a working Proof of Concept
• Physical Penetration Testing
• Denial of Service Attacks
• Presence of autocomplete attribute on web forms
• John Deere machines or equipment
• Cache Poisoning Vulnerabilities relating to cloudfront (CDN).

Dangling IP Vulnerabilities

• Accepted: Dangling IP vulnerabilities are in scope only if you can demonstrate a clear and reproducible security impact, such as a subdomain takeover or the ability for an attacker to claim the IP address and serve malicious content to users or systems. Reports must include evidence of a practical exploit, not just the existence of an unassigned or unallocated IP. Simply showing that an IP address is no longer listed as owned by John Deere is not sufficient evidence of impact.
• Not Accepted: Reports of unassigned, unallocated, or "dangling" IP addresses that do not result in a proven security risk (e.g., no subdomain takeover, no ability to intercept or serve traffic) are out of scope. Merely identifying a released or unassociated IP address is not sufficient for a valid report.

Account Registration

When registering for John Deere accounts on assets that allow self-registration, we kindly request that you use your official HackerOne email address ending with @wearehackerone.com. This ensures we can accurately identify and verify the legitimacy of researchers engaging with HackerOne.

Any role-based or authorization vulnerability, in which a user can execute actions not intended by their assigned role, will be classified as a low severity issue if the following conditions are met:

• The user or hacker must be invited or added to an account, organization, or similar entity by an administrator of that entity.
• The unintended actions can be executed within the context of that specific entity only.

Any John Deere digital application, product or service, but excluding: (1)Any John Deere machine, equipment or other hardware (collectively “Equipment”) And (2) Any software, firmware or other component of John Deere Equipment.