Toyota

Toyota is committed to maintaining an effective partnership with the cybersecurity community. We value your contributions and appreciate the opportunity to work with you.

Scope

Reports submitted through this website are explicitly in scope and will be accepted for evaluation if they relate to: the www.toyota.com, www.lexus.com, and www.toyotaconnected.com properties; Toyota or Lexus vehicles. Please refer to the Scope tab for additional in scope properties.

Toyota reserves the right to treat additional reports that comply with the program requirements as in scope. While Toyota may share reports related to other online properties managed by Toyota affiliate companies for their consideration, such reports will be closed as Informative. Toyota reserves the right to change the scope of the program over time.

Exclusions

The following vulnerabilities are excluded from this program: vulnerabilities with minimal security impact or low exploitability, vulnerabilities beyond Toyota’s control, vulnerabilities discoverable through automated scans which have not been verified manually, or vulnerabilities related to a violation of the program requirements. Vulnerabilities in vehicles are also excluded from this program if they require physical destruction or unauthorized modifications; if they relate to non-current vehicle software or backend systems for vehicles; or if Toyota is already aware of the vulnerability and has begun the remediation process.

Out of scope vulnerabilities for online properties include:

• Clickjacking on pages with no sensitive actions;
• CSRF without a demonstrated vulnerability;
• Security issues in third-party systems integrated with or related to Toyota systems;
• Password and account recovery policies, such as reset link expiration or password complexity;
• Presence of autocomplete attribute on web forms;
• Software version disclosure;
• User ID enumeration;
• Vulnerabilities only affecting outdated or unpatched browsers;
• SSL/TLS configurations without a demonstrated vulnerability;
• Content spoofing/text injection that cannot be leveraged for XSS or sensitive data disclosure;
• Missing http-only or secure cookie flags unrelated to a vulnerability;
• Missing security headers unrelated to a vulnerability;
• Attacks against network and security infrastructure; and
• Email spoofing issues (e.g., absence or misconfiguration of SPF, DKIM, DMARC).

Toyota retains discretion to determine whether a report meets the program requirements or is excluded.

Program Requirements

Toyota agrees not to pursue legal action against researchers who submit in-scope reports and:

• Engage in testing/research of systems without harming Toyota, its customers, employees, or third parties;
• Take good faith measures to ensure the privacy of Toyota’s customers, employees, or other individuals and immediately notify Toyota in the event of inadvertent discovery of personal information and delete any such locally-stored information;
• Do not conduct social engineering, spam, or phishing attacks;
• Do not test the physical security of any property of Toyota or third parties;
• Do not conduct denial-of-service or resource-exhaustion attacks;
• Immediately report the discovery of credentials associated with Toyota systems, users, or applications, and do not pursue any testing or use of those credentials;
• Comply with applicable criminal laws;
• Adhere to other applicable laws (other than those that would result only in claims by Toyota);
• Are not a person employed by Toyota or a Toyota supplier, and are not submitting a report by a person employed by Toyota or a Toyota supplier; and
• Comply with the HackerOne Terms and Conditions as well as the terms stated here.

Toyota considers activities conducted consistent with these program terms and HackerOne’s policies to be authorized conduct.

Except as described in the next paragraph, you agree not to disclose to a third-party any information related to a report that you submitted to Toyota through this website, the vulnerability reported, nor the fact that a vulnerability has been reported to Toyota. This agreement regarding disclosure applies regardless of whether Toyota had prior knowledge of the information.

You agree that Toyota may disclose the information in a report you submit through this website. Toyota will consider any request by you to make a disclosure. Requests to disclose in-scope reports relating to vehicles are subject to the HackerOne Vulnerability Disclosure Guidelines. Toyota reserves the right to deny requests to disclose other reports.

How to Submit a Report

To submit a report to Toyota, please use the Submit Report button on this page.

By submitting a report, you represent that you are not located in or otherwise ordinarily resident in Cuba, Iran, North Korea, Sudan, Syria or Crimea; and that you are not identified on, or owned or controlled by or acting on behalf of a party identified on, restricted party lists maintained by the U.S. or other relevant governments.

Expectations for Researchers

• Well-written reports in English will have a higher chance of faster response and resolution;
• Reports that include proof-of-concept code enable Toyota to better understand and triage the submitted information and a proof-of-concept is required for any report relating to a vehicle;
• Reports that include only output from programs may receive lower priority;
• Participating in this program does not give you any right to intellectual property owned by Toyota or a third party;
• Please include how you found the vulnerability; if possible include any potential remediation(s); and
• Please do not include any personal information.

What You Can Expect

• A timely response to your submission;
• An open dialog to discuss issues;
• Notification when each stage of Toyota’s review has completed; and
• Recognition after the vulnerability has been validated and fixed.

##Fine Print

We use “Toyota” to refer to Toyota Motor North America, Inc. (“TMNA”) and, to the extent that a report pertains to www.toyotaconnected.com, Toyota Connected North America, Inc. (“TCNA”). In-scope reports that relate to a vehicle sold by or a property operated by an affiliate of Toyota are referred to the appropriate Toyota affiliate for all follow up actions. Decisions regarding a report (e.g. whether to remediate or whether to disclose a report) are made by the appropriate Toyota affiliate, and TMNA and TCNA are not responsible for the handling of those reports or subsequent actions taken by the relevant Toyota affiliate. Referral of a report to a Toyota affiliate does not change your responsibilities under this program, including with respect to confidentiality.