Responsible Disclosure is an ethical method to report system vulnerabilities in Ferrari IT systems and services, which allows us to identify and apply the appropriate countermeasures.
By following this method, the sender helps us to identify and resolve system flaws, providing a valuable and efficient contribution to increase the security of IT services and customers data and avoiding damage or disruption to our systems.
Should customers, researchers or experts (“Researcher” from now on) identify one or more vulnerabilities in any of the following environments:
they can notify Ferrari following the procedure below.
The Researcher must avoid performing any activity that can either disrupt the impacted system or service or cause any data leakage/loss, limiting the activities to the minimum necessary and refraining from accessing data not strictly necessary to prove the existence of the vulnerability.
Specifically, whoever activates the procedure must send a description of the vulnerability (Vulnerability Report from now on) via email to responsible_disclosure@ferrari.com
All fields below must be present in the Vulnerability Report, or it will be rejected:
Participation in this Programme implies strict secrecy on all information pertaining to the vulnerabilities discovered, and therefore the Researcher commits not to reveal any of these, entirely or partially, or in any form make them available to third parties without Ferrari authorization.
Once a notice has been received, Ferrari is committed to follow up as follows:
then Ferrari will send a second email with a feedback to the Researcher
Below you will find some examples of vulnerability categories, which are considered eligible for publication in the Hall of Fame:
The following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:
While carrying out Vulnerability Research activities please respect the following rules:
Ferrari reserves the right to update or dismiss this Responsible Disclosure Programme at any time.
The Programme is forbidden to minors.
If at any time you have questions about this programme, feel free to reach out to responsible_disclosure@ferrari.com
This programme is based on guidance issued in 2022 by Enisa, available here: