ASRG Responsible Disclosure Policy & Process
A structured vulnerability disclosure program that coordinates security research with automotive manufacturers — policy v1.1, effective April 5, 2025.
Why this policy exists
ASRG operates a coordinated disclosure program that gives researchers a clear, predictable path for reporting vulnerabilities in automotive-related products and services, and gives manufacturers a structured way to receive and remediate them.
What the program covers
Three pillars define how the program operates: what's in scope for research, how ASRG mediates between parties, and the safe-harbor protections researchers can rely on.
Scope
Connected vehicles, embedded systems, mobile applications, backend infrastructure, charging stations, and vehicle communication protocols are in scope. Out-of-scope: ASRG-operated systems, social engineering, physical attacks requiring disassembly, and unrelated denial-of-service issues.
ASRG's role
ASRG acts as an impartial mediator — validating reports, coordinating with manufacturers, facilitating communication, assigning CVEs as an authorised CVE Naming Authority, and supporting coordinated public disclosure.
Safe harbor
ASRG commits to protecting good-faith researchers who follow this policy. We will not initiate legal action against researchers who stay within the guidelines and treat all participants with respect.
How to report a vulnerability
Reports can be submitted by email or through the online submission form. Researchers may remain anonymous, and may request public credit once a vulnerability is published.
Channels
Email [email protected] (PGP encourageddownload our public key), or use the online submission form. A machine-readable copy is also at /.well-known/security.txt.
What to include
Affected components, version details, vendor information, technical details of the issue, clear reproduction steps, and a contact method (or a pseudonym if you wish to stay anonymous).
Credit
Researchers can request public credit at the time of submission. Credits are published alongside the coordinated disclosure once the manufacturer's remediation window has closed.
Coordinated disclosure timeline
The standard window is 90 days from report to public disclosure. Escalation triggers fire if a manufacturer is unresponsive.
- Day 0Researcher submits the report. ASRG triages and validates the issue.
- Within 5 business daysManufacturer is expected to acknowledge receipt.
- Day 30ASRG sends a reminder if there has been no manufacturer response.
- Day 40Escalation: ASRG engages additional contacts within the manufacturer.
- Day 50If still unresponsive, public-disclosure preparation begins.
- Day 90Standard public-disclosure window. CVE is published; researcher credit is included where requested.
Additional support
ASRG maintains a list of existing automotive disclosure programs and provides ongoing support through the Technical Committee for Vulnerability Management.
Have a question that isn't covered here? Reach out to [email protected] or explore the Technical Committee for Vulnerability Management inside the member portal.
Have something to report?
Email the ASRG security team. Anonymous submissions and PGP-encrypted reports are welcome.