Vulnerability Reporting Policy (Disclosure Policy)
The security of its vehicles, digital services and accessories is important to
If you have any information about a vulnerability in our vehicles, digital services or accessories, please let us know. In particular, we kindly request that you do not disclose any vulnerabilities found until we have had the opportunity to analyze them and, if necessary, define appropriate measures.
Please send your information via encrypted e-mail to: firstname.lastname@example.org
To encrypt, please use the certificate provided on this website. The corresponding CA certificates can be downloaded at the menu item "Volkswagen PKI CA Certificates" on https://certdist.volkswagen.de.
What is important to us:
- Comply with applicable laws, regulations and other statutory provisions as well as with contractual provisions, including licensing or consent requirements.
- Do not harm anyone.
- Avoid impact on the privacy of third parties.
- Please send us your information in German or in English.
- Please provide a contact for further queries.
- Provide sufficient information for us to reproduce and analyze the issue, including:
o Time when the vulnerability was discovered.
o All available information on the model and components, part numbers, chassis numbers and software versions.
o Prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability.
o Set up configuration and modification of the vehicle, digital service or accessory and if possible a proof of concept.
- Please allow us to disclose the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe.
Scope of application
- All vehicles of the
- All digital services related to the
Porschebrand (e.g. PorscheConnect app).
- All vehicle accessories related to the
Porschebrand (e.g. PorscheCharging Equipment).
The following vulnerabilities are not within the scope of this policy:
- Vulnerabilities of applications or systems outside the stated scope.
- Results primarily from social engineering (e.g., phishing, vishing).
- User interface and user experience issues, spelling and grammar errors.