Responsible Disclosure is an ethical method to report system vulnerabilities in Ferrari IT systems and services, which allows us to identify and apply the appropriate countermeasures.

By following this method, the sender helps us to identify and resolve system flaws, providing a valuable and efficient contribution to increase the security of IT services and customers data and avoiding damage or disruption to our systems.

Should customers, researchers or experts (“Researcher” from now on) identify one or more vulnerabilities in any of the following environments:

• Ferrari portals (e.g. www.ferrari.com, etc.)
• Mobile applications bearing the Ferrari logo and published on official stores
• Any Ferrari product
• Other technological instrument or IT services in use or provided by Ferrari

they can notify Ferrari following the procedure below.

The Researcher must avoid performing any activity that can either disrupt the impacted system or service or cause any data leakage/loss, limiting the activities to the minimum necessary and refraining from accessing data not strictly necessary to prove the existence of the vulnerability.

Specifically, whoever activates the procedure must send a description of the vulnerability (Vulnerability Report from now on) via email to responsible_disclosure@ferrari.com

All fields below must be present in the Vulnerability Report, or it will be rejected:

• Date and Time of discovery + timezone
• Type of vulnerability or issue
• Service, product or URL affected
• IP address from which the vulnerability was identified
• Information necessary to reproduce the issue
• Confirmation that no activity has been performed to disrupt our system or services and that no data/code has been copied, altered, leaked or deleted.
  If, while performing activities for this Vulnerability Report, the Researcher has accidentally failed to play by the above rules, then the Researcher is required to describe the actions performed
• The consensus to be listed in the Hall of Fame section. If yes, the Researcher should provide his/her name or alias. This information will be used exclusively in Ferrari Hall of Fame. His/her email address will not be published and will possibly be used for a direct contact with the Researcher.

Participation in this Programme implies strict secrecy on all information pertaining to the vulnerabilities discovered, and therefore the Researcher commits not to reveal any of these, entirely or partially, or in any form make them available to third parties without Ferrari authorization.

Once a notice has been received, Ferrari is committed to follow up as follows:

1. Send an email to the Researcher to acknowledge reception of the Vulnerability Report
2. After the analysis and only if
   • it is not a false positive and
   • it has not been previously reported by another Researcher,

then Ferrari will send a second email with a feedback to the Researcher

3. Adequately evaluate the Vulnerability Report received from the Researcher
4. If the Vulnerability Report is considered eligible by Ferrari, and if the Researcher authorized the publication of his/her name, Ferrari will publish his/her name in the Hall of Fame section of Ferrari.com website, to publicly thanks the Researcher and recognize his/her valuable contribution in increasing the security of our products and services for our benefit and for the benefit of our customers
5. At its sole discretion, Ferrari can reward some of the most important disclosures offering to the Researcher either a guided factory tour (travel expenses to Maranello excluded) or a Ferrari small gift (shipping costs included), upon Researchers’ choice.

Below you will find some examples of vulnerability categories, which are considered eligible for publication in the Hall of Fame:

• ICT vulnerabilities
• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Injection (i.e. SQL injection, user input)
• Broken Authentication and Session Management
• Broken Access Control
• Security Misconfiguration
• Redirect / Man in the Middle attacks
• Remote code execution
• Underprotected API
• Privilege Escalation
• Product vulnerabilities

The following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:

• Situations that are not inherent to security aspects (i.e. unavailability of a service, non-security bugs in a GUI, etc.) and therefore managed through traditional channels of customer care
• Problems regarding phishing or spam and vulnerabilities inherent to social engineering techniques; these must be signaled either via email to abuse@ferrari.com. If the original email contains a suspicious attachment, please make sure that it is not included in your message, as this will like cause your email to be blocked
• Results of automatic tools for vulnerability assessment/penetration testing (i.e. Nessus, nmap, …)
• Reports on the use of weak configurations of the TLS protocol, or reports on non-compliance with best practices such as, for example, the lack of security headers

While carrying out Vulnerability Research activities please respect the following rules:

• report the vulnerability to us as previously explained;
• report the vulnerability as soon as you can to prevent it to be exploited before we have a chance to fix it;
• report the vulnerability to us while keeping the information confidential (in particular if it concerns personal data);
• do not use social engineering or phishing to gain access to our IT infrastructure or services;
• do not install your own backdoor or execute code in our systems to disclose the vulnerability as this may result in unnecessary damage and security risks;
• do not exploit a vulnerability beyond what’s necessary to confirm it; if accidentally the Researcher has not respected this rule, please inform us
• do not modify the system/service or data in any manner;
• do not use Denial of Service attacks, aggressive and/or automated scanning or brute force access technology;
• do not impact the confidentiality, integrity or availability of our services or our data;
• do not access Ferrari services or systems using stolen credentials available e.g. in the dark web
• Certain hacking activities constitute criminal actions. To protect you and us please act in good faith and follow the above rules of ethical engagement

We would like to thank all persons who make a responsible disclosure to us and recognize their valuable contribution in increasing the security of our products and services for our benefit and for the benefit of our customers by featuring those contributors in our hall of fame.

Ferrari reserves the right to update or dismiss this Responsible Disclosure Programme at any time.

The Programme is forbidden to minors.

 

If at any time you have questions about this programme, feel free to reach out to responsible_disclosure@ferrari.com

This programme is based on guidance issued in 2022 by Enisa, available here: