Vulnerability Reporting Policy (Disclosure Policy)

The security of its vehicles, digital services and accessories is important to Porsche. Despite careful development, manufacturing and testing, vulnerabilities may exist in individual cases. We always strive to identify relevant vulnerabilities and are happy to work with people who report them to us.

If you have any information about a vulnerability in our vehicles, digital services or accessories, please let us know. In particular, we kindly request that you do not disclose any vulnerabilities found until we have had the opportunity to analyze them and, if necessary, define appropriate measures.

Please send your information via encrypted e-mail to: vulnerability@porsche.de

S/MIME certificate (ZIP; 0,002 MB)

To encrypt, please use the certificate provided on this website. The corresponding CA certificates can be downloaded at the menu item "Volkswagen PKI CA Certificates" on https://certdist.volkswagen.de.

Our principles
What is important to us:

  • Comply with applicable laws, regulations and other statutory provisions as well as with contractual provisions, including licensing or consent requirements.
  • Do not harm anyone.
  • Avoid impact on the privacy of third parties.
  • Please send us your information in German or in English.
  • Please provide a contact for further queries.
  • Provide sufficient information for us to reproduce and analyze the issue, including:
    o Time when the vulnerability was discovered.
    o All available information on the model and components, part numbers, chassis numbers and software versions.
    o Prerequisites and general conditions that must be fulfilled in order to be able to exploit the vulnerability.
    o Set up configuration and modification of the vehicle, digital service or accessory and if possible a proof of concept.
  • Please allow us to disclose the vulnerability in a coordinated manner, in particular by refraining from disclosing vulnerability details to third parties before the end of a mutually agreed timeframe.

Scope of application

  • All vehicles of the Porsche brand.
  • All digital services related to the Porsche brand (e.g. Porsche Connect app).
  • All vehicle accessories related to the Porsche brand (e.g. Porsche Charging Equipment).

Non-qualified vulnerabilities
The following vulnerabilities are not within the scope of this policy:

  • Vulnerabilities of applications or systems outside the stated scope.
  • Results primarily from social engineering (e.g., phishing, vishing).
  • User interface and user experience issues, spelling and grammar errors.