
Security Vulnerability Reporting Policy - LukeHoersten
https://www.tesla.com/about/legal#security-vulnerability-reporting-policy
======
tptacek
And? Lots of companies do; it's a best practice.

~~~
LukeHoersten
I thought it was an interesting position for what is ostensibly a car company
to take. If this is common for car companies, who are more and more becoming
software companies, I was unaware.

Also, personally I’m a big fan of yours.

------
milkshakes
at least they posted the public key instead of the private one like adobe:
[https://arstechnica.com/information-technology/2017/09/in-
sp...](https://arstechnica.com/information-technology/2017/09/in-spectacular-
fail-adobe-security-team-posts-private-pgp-key-on-blog/)

------
fintler
> Priority will be granted to encrypted reports – please include your PGP
> public key with such reports.

Is this a common thing? Why should they give priority to encrypted reports?

~~~
jamestimmins
It could be a somewhat arbitrary bar to separate the wheat from the chaff. If
they get a lot of questionable submissions, prioritizing encrypted submissions
means prioritizing submitters who at least know enough to use encryption.

------
coenhyde
Also a bug bounty: [https://bugcrowd.com/tesla](https://bugcrowd.com/tesla)

