Brand Promise
We at Daimler Truck take security vulnerabilities and privacy issues very seriously. We are committed to building and maintaining an effective partnership with the cybersecurity community. We value your contributions and welcome any information that could lead to the identification and remediation of a security issue in Daimler Trucks services and products. We will investigate all legitimate reports and do our best to quickly fix the problem.
Safety First
Safety first! Don't do anything that could cause harm to yourself or others. Keep in mind that a vehicle has several systems like airbags that could cause serious injury when misused. If in doubt, let it be.
If you work on a vehicle, don't try anything that could interfere with road safety and don't experiment on public roads. Only perform testing in a safe place with a stationary vehicle.
Response Targets
Daimler Truck will make a best effort to address the issues as soon as possible depending on severity and complexity.
Whilst we want to consider all valid submissions to our program, it will take us time to fix low impact findings.
Note: If you found a flaw in our vehicles, please note that fixing a bug in a vehicle is a substantially different process than fixing a bug in classic IT systems. Vehicle software needs to meet high safety and regulatory requirements, therefore fixing a bug takes significantly more time. We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
- Please refrain from publishing technical details of any vulnerability you find to give us an opportunity to fix it. We will try to work out a disclosure timeline with you.
- Please be aware that other than standard IT systems, we cannot mandate installation of an update as the vehicles belong to our customers and are not under our control. Therefore, it can take a long time after a patch is released before a significant part of vehicles on the road are patched.
Qualifying Vulnerabilities
OWASP Top 10
Vehicles
- OWASP Embedded Application Security Top 10
- Remote Code Execution
- Sensitive Data Exposure
- Broken Authentication
- Compromise of update mechanisms, e.g. Flashing an ECU with arbitrary firmware
- Remote sending of arbitrary data on in-vehicle bus systems (CAN, LIN, Flexray, etc.) Unlocking vehicle functions
Out of Scope Vulnerabilities
- Dealership Websites - Some dealerships use a subdomain of daimlertruck.com to host their websites. Nevertheless, Daimler Truck is not in control of these sites. Please contact the appropriate dealership in these cases.
- Any activity that could lead to the disruption of our service (DoS / DDoS).
- Brute force attacks and social engineering.
- Physical destruction of locks / anti-theft mechanisms, etc.
- Gaining access to the vehicle by physical destruction.
- DoS of ECUs or Bus Systems through Flooding.
Assets in Scope:
Domains:
- daimlertruck.com
- bharatbenz.com
- fleetboard.de
- fleetboard.com
- evobus.com
- omniplus.com
- setra.de
- mercedes-benz-trucks.com
- mitsubishi-fuso.com
Other: All Apps published by Daimler Truck AG, all vehicles sold under the brands: Mercedes-Benz Trucks&Buses, Freightliner Trucks, FUSO Trucks & Buses, BharatBenz Trucks & Buses, Western Star, Thomas Built Buses, EvoBus and Setra.
Assets out of Scope:
daimler.com, fuso.com
Third Party Bugs
If you find a flaw in an application written by a third-party we will try to contact them and forward your findings to them in an anonymized form. In this case, we will ask you if you want your contact details to be sent to the third-party so that they can further discuss that topic with you.
Legal Points and Safe Harbor
Always obey your local laws!
If you work on a product or vehicle, use only a vehicle that you own or have the owner’s permission to work on. Do not modify or copy data that doesn't belong to you. We explicitly reject criminal activity in any form.
We utilize code written by third-parties. Those code parts belong to their respective owners. We can’t grant you permission to reverse engineer any of that code.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Daimler Truck and our users safe!
Please submit your findings here.