{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T05:04:58Z","timestamp":1773205498958,"version":"3.50.1"},"reference-count":62,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2021,5,6]],"date-time":"2021-05-06T00:00:00Z","timestamp":1620259200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002347","name":"Bundesministerium f\u00fcr Bildung und Forschung","doi-asserted-by":"publisher","award":["01KIS079"],"award-info":[{"award-number":["01KIS079"]}],"id":[{"id":"10.13039\/501100002347","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>Since several years, the overall awareness for the necessity to consider a vehicle as a potentially vulnerable system is facing accelerated growth. In 2015, the safety relevant exploitability of vulnerabilities through cyber attacks was exposed to a broader public for the first time. Only a few months after this attack has reached public awareness, affected manufacturer implemented one of the first bug bounty programs within the automotive field. Since then, many others followed by adapting some of ITs good practices for handling and responsibly disclose found and reported vulnerabilities for the automotive field. Nevertheless, this work points out that much remains to be done concerning quantity and quality of these measures. In order to cope with this, this present paper deals with what can be learned from IT and which conclusions can be drawn from these findings in the light of special conditions in the automotive environment. Furthermore, current handling and challenges regarding the disclosure process of vulnerabilities in the automotive sector are presented. These challenges are addressed by discussing desirable conditions for a beneficial disclosure culture as well as requirements and responsibilities of all parties involved in the disclosure process.<\/jats:p>","DOI":"10.3390\/jcp1020015","type":"journal-article","created":{"date-parts":[[2021,5,6]],"date-time":"2021-05-06T11:10:27Z","timestamp":1620299427000},"page":"274-288","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["Automotive Vulnerability Disclosure: Stakeholders, Opportunities, Challenges"],"prefix":"10.3390","volume":"1","author":[{"given":"Robin","family":"Bolz","sequence":"first","affiliation":[{"name":"Institute of Energy Efficient Mobility, Karlsruhe University of Applied Sciences, 76133 Karlsruhe, Germany"}]},{"given":"Reiner","family":"Kriesten","sequence":"additional","affiliation":[{"name":"Institute of Energy Efficient Mobility, Karlsruhe University of Applied Sciences, 76133 Karlsruhe, Germany"}]}],"member":"1968","published-online":{"date-parts":[[2021,5,6]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"544","DOI":"10.1109\/TSE.2007.70712","article-title":"An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price","volume":"33","author":"Telang","year":"2007","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_2","unstructured":"(2020, April 20). NIST, NVD\u2014National Vulnerability Database, Available online: https:\/\/nvd.nist.gov\/vuln\/full-listing."},{"key":"ref_3","unstructured":"(2020, April 20). Hackerone, General Motors Celebrates Second Anniversary with Hackers Customer Stories. Available online: https:\/\/www.hackerone.com\/blog\/General-Motors-Celebrates-Second-Anniversary-Hackers."},{"key":"ref_4","unstructured":"Statista GmbH (2020, April 10). Lebensdauer von Autos in Deutschland Nach Automarken. Available online: https:\/\/de.statista.com\/statistik\/daten\/studie\/316498\/umfrage\/lebensdauer-von-autos-deutschland\/."},{"key":"ref_5","unstructured":"Krempl, F. (2020, May 28). Security by Design im Auto: Neue UN-Vorgaben F\u00fcr Cybersicherheit von Fahrzeugen. Available online: https:\/\/www.heise.de\/news\/Security-by-Design-Neue-UN-Vorgaben-fuer-Cybersicherheit-im-Auto-4767180.html?seite=all."},{"key":"ref_6","unstructured":"McKinsey & Company, GSA (2020, April 10). Cybersecurity in Automotive\u2014Mastering the Challenge. Available online: https:\/\/www.gsaglobal.org\/resources\/cybersecurity-in-automotive-mastering-the-challenge\/."},{"key":"ref_7","unstructured":"UNECE\/TRANS\/WP.29\/GRVA (2020, July 23). Proposal for a New UN Regulation on Uniform Provisions Concerning the Approval of Vehicles with Regards to Cyber Security and Cyber Security Management System. Available online: https:\/\/unece.org\/DAM\/trans\/doc\/2020\/wp29grva\/ECE-TRANS-WP29-2020-079-Revised.pdf."},{"key":"ref_8","unstructured":"UNECE\/TRANS\/WP.29\/GRVA (2021, March 25). Proposal for a New UN Regulation on Uniform Provisions Concerning the Approval of Vehicles with Regards to Software Update and Software Updates Management System. Available online: https:\/\/undocs.org\/ECE\/TRANS\/WP.29\/2020\/80."},{"key":"ref_9","unstructured":"UNECE Press Releases (2021, March 23). UN Regulations on Cybersecurity and Software Updates to Pave the Way for Mass Roll Out of Connected Vehicles. Available online: https:\/\/unece.org\/press\/un-regulations-cybersecurity-and-software-updates-pave-way-mass-roll-out-connected-vehicles."},{"key":"ref_10","unstructured":"(2020, April 29). ISO\/SAE FDIS 21434, Road vehicles\u2014Cybersecurity Engineering. Available online: https:\/\/www.iso.org\/standard\/70918.html."},{"key":"ref_11","unstructured":"Upstream Security (2020, April 05). Global Automotive Cybersecurity Report. Available online: https:\/\/www.upstream.auto\/research\/automotive-cybersecurity\/?id=null."},{"key":"ref_12","unstructured":"(2020, April 10). Euro NCAP Crashtest. Available online: https:\/\/www.euroncap.com\/en\/ratings-rewards\/latest-safety-ratings\/."},{"key":"ref_13","unstructured":"(2020, April 05). ADAC Pannenstatistik. Available online: https:\/\/www.adac.de\/rund-ums-fahrzeug\/unfall-schaden-panne\/adac-pannenstatistik\/."},{"key":"ref_14","unstructured":"CERT\/CC Computer Emergency Response Team\/Coordination Center (2020, May 28). What is Vulnerability Coordination?. Available online: https:\/\/vuls.cert.org\/confluence\/pages\/viewpage.action?pageId=4718642."},{"key":"ref_15","unstructured":"(2021, April 29). ISO\/IEC 29147:2014 Information technology\u2014Security techniques\u2014Vulnerability Disclosure. Available online: https:\/\/www.iso.org\/standard\/45170.html."},{"key":"ref_16","unstructured":"(2021, April 29). ISO\/IEC 30111:2019, Information technology\u2014Security techniques\u2014Vulnerability Handling, amended in 2019. Available online: https:\/\/www.iso.org\/standard\/69725.html."},{"key":"ref_17","unstructured":"Google Security Team (2020, May 28). Rebooting Responsible Disclosure: A focus on Protecting End Users. Available online: https:\/\/security.googleblog.com\/2010\/07\/rebooting-responsible-disclosure-focus.html."},{"key":"ref_18","unstructured":"(2021, April 29). Jan Neutze (Microsoft), Coordinated Vulnerability Disclosure (CVD), CEPS Event: Software Vulnerabilities Disclosure: The European Landscape, Brussels. Available online: https:\/\/www.ceps.eu\/wp-content\/uploads\/2017\/05\/Jan%20Neutze%20Microfsoft%20-%20CVD.pdf."},{"key":"ref_19","unstructured":"(2020, April 20). About the Zero Day Initiative. Available online: https:\/\/www.zerodayinitiative.com\/about\/."},{"key":"ref_20","unstructured":"CERT\/CC Computer Emergency Response Team\/Coordination Center (2020, May 28). Vulnerability Reporting Form. Available online: https:\/\/www.kb.cert.org\/vuls\/vulcoordrequest\/."},{"key":"ref_21","unstructured":"Zero Day Initiative (2020, April 20). The Zero Day Initiative Disclosure Policy. Available online: https:\/\/www.zerodayinitiative.com\/advisories\/disclosure_policy\/."},{"key":"ref_22","unstructured":"Rapid7 (2020, April 20). The Rapid7 Disclosure Policy. Available online: https:\/\/www.rapid7.com\/security\/disclosure\/."},{"key":"ref_23","unstructured":"Project Zero (2020, March 08). Policy and Disclosure: 2020 Edition. Available online: https:\/\/googleprojectzero.blogspot.com\/2020\/01\/policy-and-disclosure-2020-edition.html."},{"key":"ref_24","unstructured":"CERT\/CC (2020, April 20). The CERT\/CC Disclosure Policy. Available online: https:\/\/vuls.cert.org\/confluence\/display\/Wiki\/Vulnerability+Disclosure+Policy."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"McQueen, M., Wright, J., and Wellman, L. (2011, January 21). Are Vulnerability Disclosure Deadlines Justified?. Proceedings of the Third International Workshop on Security Measurements and Metrics, Banff, AB, Canada.","DOI":"10.1109\/Metrisec.2011.9"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"642","DOI":"10.1287\/mnsc.1070.0771","article-title":"Optimal Policy for Software Vulnerability Disclosure","volume":"54","author":"Arora","year":"2008","journal-title":"Manag. Sci."},{"key":"ref_27","first-page":"372","article-title":"Devising effective policies for bug-bounty platforms and security vulnerability discovery","volume":"7","author":"Zhao","year":"2017","journal-title":"J. Inf. Policy"},{"key":"ref_28","unstructured":"Hackerone (2020, May 05). The 2020 Hacker Report. Available online: https:\/\/www.hackerone.com\/resources\/reporting\/the-2020-hacker-report."},{"key":"ref_29","unstructured":"CEPS Working Group (2020, May 05). Vulnerability Disclosure in Europe-Technology, Policies, Legal Challenges. Available online: https:\/\/www.ceps.eu\/download\/publication\/?id=10636&pdf=CEPS%20TFRonSVD%20with%20cover_0.pdf."},{"key":"ref_30","unstructured":"AUTO-ISAC Best Practices-Incident Response v1.3, July 2019. Available online: https:\/\/automotiveisac.com\/best-practices\/."},{"key":"ref_31","unstructured":"Bolz, R., Rumez, M., Sommer, F., D\u00fcrrwang, J., and Kriesten, R. (2020, January 25\u201327). Enhancement of Cyber Security for Cyber Physical Systems in the Automotive Field Through Attack Analysis. Proceedings of the Embedded World Conference 2020, Nuremberg, Germany. Available online: https:\/\/www.researchgate.net\/publication\/339643941_Enhancement_of_Cyber_Security_for_Cyber_Physical_Systems_in_the_Automotive_Field_Through_Attack_Analysis."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Kurachi, R., and Takada, H. (2018, January 12\u201314). Improving secure coding rules for automotive software by using a vulnerability database. Proceedings of the International Conference on Vehicular Electronics and Safety, Madrid, Spain.","DOI":"10.1109\/ICVES.2018.8519496"},{"key":"ref_33","unstructured":"Verdult, R., Garcia, F., and Ege, B. (2013, January 14\u201316). Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer. Proceedings of the 22nd USENIX Security Symposium, Wahington, DC, USA."},{"key":"ref_34","unstructured":"The Guardian (2020, June 27). Security Flaw Affecting More Than 100 Car Models Exposed by Scientists. Available online: https:\/\/www.theguardian.com\/technology\/2015\/aug\/18\/security-flaw-100-car-models-exposed-scientists-volkswagen-suppressed-paper."},{"key":"ref_35","unstructured":"(2020, June 27). Pentest Partners Block-Automotive Security, Hacking the Mitsubishi Outlander PHEV Hybrid. Available online: https:\/\/www.pentestpartners.com\/blog\/hacking-the-mitsubishi-outlander-phev-hybrid-suv\/."},{"key":"ref_36","unstructured":"Keen Security Lab (2020, June 27). Experimental Security Assessment of BMW Cars: A Summary Report. Available online: https:\/\/keenlab.tencent.com\/en\/2018\/05\/22\/New-CarHacking-Research-by-KeenLab-Experimental-Security-Assessment-of-BMW-Cars\/."},{"key":"ref_37","unstructured":"MITRE Corporation (2020, July 23). Common Vulnerabilities and Exposures (CVE) List. Available online: https:\/\/cve.mitre.org\/."},{"key":"ref_38","unstructured":"Mahaffey, K. (2020, November 12). Hacking a Tesla Model S: What We Found and What We Learned, Lookout Blog. Available online: https:\/\/blog.lookout.com\/hacking-a-tesla."},{"key":"ref_39","unstructured":"The Sky-Go Team (360) (2020, October 12). Security Research Report on Mercedes-Benz Cars. Available online: https:\/\/skygo.360.cn\/archive\/Security-Research-Report-on-Mercedes-Benz-Cars-en.pdf."},{"key":"ref_40","unstructured":"(2020, July 15). National Institute for Standards and Technology (NIST), National Vulnerability Database; CVE-20155611, Available online: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2015-5611#VulnChangeHistorySection."},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Sommer, F., Duerrwang, J., and Kriesten, R. (2019). Survey and Classification of Automotive Security Attacks. Information, 10.","DOI":"10.3390\/info10040148"},{"key":"ref_42","unstructured":"Automotive Attack Database (AAD) (2020, October 07). Institute of Energy Efficient Mobility at Karlsruhe University of Applied Sciences. Available online: https:\/\/github.com\/IEEM-HsKA\/AAD."},{"key":"ref_43","unstructured":"(2020, October 07). Malware Information Sharing Platform (MISP). Available online: https:\/\/www.misp-project.org\/."},{"key":"ref_44","unstructured":"(2020, October 07). OASIS CTI, STIX\/TAXII Threat Intelligence Sharing. Available online: https:\/\/oasis-open.github.io\/cti-documentation\/."},{"key":"ref_45","unstructured":"(2020, October 07). FIRST, Traffic Light Protocol (TLP). Available online: https:\/\/www.first.org\/tlp\/."},{"key":"ref_46","unstructured":"(2020, October 07). FIRST, Information Exchange Policy. Available online: https:\/\/www.first.org\/iep\/."},{"key":"ref_47","unstructured":"(2020, October 07). ICASI, Common Vulnerability Reporting Framework (CVRF). Available online: https:\/\/www.icasi.org\/cvrf\/."},{"key":"ref_48","unstructured":"(2020, October 07). VDA-ISA, TISAX 1\u2013Model. Available online: https:\/\/www.vda.de\/dam\/vda\/publications\/Empfehlung%20Informationsschutz%202005\/Beschreibung%20TISAX%20und%20VDA-ISA%20f%C3%BCr%20VDA%20Webseite-DE.PDF."},{"key":"ref_49","unstructured":"(2020, July 23). Terms of Reference for the ENISA Cars and Roads Security (CarSEC) Experts Group. Available online: https:\/\/www.enisa.europa.eu\/media\/news-items\/terms-of-reference-for-the-enisa-cars-and-roads-security-carsec-experts-group."},{"key":"ref_50","doi-asserted-by":"crossref","unstructured":"D\u00fcrrwang, J., Beckers, K., and Kriesten, R. (2017, January 13\u201315). A Lightweight Threat Analysis Approach Intertwining Safety and Security for the Automotive Domain. Proceedings of the International Conference on Computer Safety, Reliability and Security, Trento, Italy.","DOI":"10.1007\/978-3-319-66266-4_20"},{"key":"ref_51","unstructured":"FIRST Vulnerability Coordination SIG & NTIA (2020, July 23). The Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure. Available online: https:\/\/www.first.org\/global\/sigs\/vulnerability-coordination\/multiparty\/guidelines-v1.1."},{"key":"ref_52","unstructured":"(2021, April 29). EU Directive 2016\/1148 Concerning Measures for a High Common Level of Security of Network and Information Systems across the Union, July 2016. Available online: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016L1148."},{"key":"ref_53","unstructured":"Security Insider (2020, December 17). Was Cyberkriminelle 2020 Bewegt. Available online: https:\/\/www.security-insider.de\/was-cyberkriminelle-2020-bewegt-a-899804\/?cmp=nl-4&uuid=93A2AF8C-BEE5-44A8-A609-ADCC489E9CF3."},{"key":"ref_54","unstructured":"Upstream Security (2020, December 17). Global Automotive Cybersecurity Report. Available online: https:\/\/upstream.auto\/2021report\/."},{"key":"ref_55","unstructured":"(2021, April 29). EU Directive 2008\/114\/EG, Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve Their Protection, December 2008. Available online: https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32008L0114&from=DE."},{"key":"ref_56","doi-asserted-by":"crossref","unstructured":"Bajpai, P., and Enbody, R. (2020, January 18). Towards Effective Identification and Rating of Automotive Vulnerabilities. Proceedings of the Second ACM Workshop on Automotive and Aerial Vehicle Security\u2014AutoSec\u201920, New Orleans, LA, USA.","DOI":"10.1145\/3375706.3380556"},{"key":"ref_57","unstructured":"NIST-CSRC (2020, July 23). Common Platform Enumeration (CPE) Method, Available online: https:\/\/csrc.nist.gov\/projects\/security-content-automation-protocol\/specifications\/cpe."},{"key":"ref_58","unstructured":"The FIRST CVSS-SIG (2020, October 02). Common Vulnerability Scoring Systems (CVSS). Available online: https:\/\/www.first.org\/cvss\/."},{"key":"ref_59","unstructured":"FFRI Inc (2020, October 02). Latest Security Reports of Automobile and Vulnerability Assessment by CVSSv3. Available online: https:\/\/de.slideshare.net\/ffri\/latest-security-reports-of-automobile-and-vulnerability-assessment-by-cvss-v3-ffri-monthly-research-20159."},{"key":"ref_60","doi-asserted-by":"crossref","unstructured":"Ando, E., Kayashima, M., and Komoda, N. (2016, January 10\u201314). A Proposal of Security Requirements Definition Methodology in Connected Car Systems by CVSS v3. Proceedings of the 5th IIAI International Congress on Advanced Applied Informatics, Kumamoto, Japan.","DOI":"10.1109\/IIAI-AAI.2016.95"},{"key":"ref_61","unstructured":"Cyberscoop (2020, October 04). Automotive Companies Are Warming up to Vulnerability Disclosure Programs. Available online: www.cyberscoop.com\/vulnerability-disclosure-programs-automotive-companies-general-motors-hackerone\/."},{"key":"ref_62","unstructured":"(2020, March 23). Volkswagen Press Release. Volkswagen Strives for Digital Leadership\u2014the ID. Family Will Be Launched with Regular \u201cOver-the-Air\u201d Updates in 2021. Available online: https:\/\/www.volkswagenag.com\/en\/news\/2021\/03\/volkswagen-strives-for-digital-leadership.html,."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/2\/15\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T05:57:40Z","timestamp":1760162260000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/1\/2\/15"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5,6]]},"references-count":62,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2021,6]]}},"alternative-id":["jcp1020015"],"URL":"https:\/\/doi.org\/10.3390\/jcp1020015","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,5,6]]}}}