Tata Motors
External Program
Submit bugs directly to this organization
Tata Motors
External Program
Submit bugs directly to this organization
As part of our commitment to protecting our customers and infrastructure, we invite you to help us identify vulnerabilities in our systems. By submitting well-documented vulnerability reports, you'll be playing a vital role in strengthening our security posture.
We take all reported vulnerabilities seriously and will work diligently to address them in a timely manner. Please note that Tata Motors reserves the right to modify or terminate the program as needed.
Thank you for joining us in building a more secure environment!
We request that you inform us promptly upon discovering a potential security vulnerability.
Our team will work quickly to resolve the issue.
We kindly request that you make a sincere effort to avoid violating privacy, damaging data, or disrupting our services in any way.
Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.
You must include attachments such as screenshots or PoC code as necessary.
Include a clear attack scenario. How will this affect us exactly?
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Protecting customers is Tata Motors' highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that, we require that the Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.
You cannot make available any information regarding your research, including high-level descriptions, demonstrations, or proof-of-concept exploit code, either before or after the Vulnerability is fixed. We require that all details related to the Vulnerability and your research remain confidential.
Violations of this section could disqualify you from participating in the program in the future and may have legal consequences.
By participating in the Program, you will follow these rules:
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users without the express permission of our team.
Don't exploit vulnerabilities you find.
Don't disclose sensitive data.
Don't do anything illegal.
Don't engage in any activity that exploits, harms, or threatens to harm children.
Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
Don't engage in activity that is false or misleading.
Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
Don't help others break these rules.
If you violate these Terms, you may be prohibited from participating in the Program in the future.
The following systems are eligible for vulnerability assessments within the scope of this program.
Your IP address will be collected during your participation in this program.
Collaboration with other researchers is not permitted within this program.
A maximum rate limit of 400 requests per minute is enforced for your tooling. Please ensure your automated scans adhere to this limit.
Reports falling into the categories listed below are considered out of scope for our VDP program:
Any reports on non-target issues, outside the defined scope.
Clickjacking on pages with no sensitive actions.
Comma Separated Values (CSV) injection without demonstrating vulnerability.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
Attacks requiring MITM or physical access to a user's device.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
Rate limiting or bruteforce issues on non-authentication endpoints.
Service hardening recommendations without a clear security impact. This includes lack of, or weak, Captcha or rate limiting usage. This includes brute forcing that improper rate limiting can allow.
Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
Self-XSS.
Missing security headers.
Missing HttpOnly or Secure flags on cookies.
Weak password policies.
Session Management, such as: session timeout, session hijacking, etc.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version].
Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main website.
Previously known vulnerable libraries without a working Proof of Concept.
Public Zero-day vulnerabilities that have had an official patch for less than 1 month
Tabnabbing.
Open redirect - unless an additional security impact can be demonstrated.
Issues that require unlikely user interaction.