Responsible Disclosure Policy

John Deere employs secure design and testing practices to protect the integrity, availability, and confidentiality of our applications, systems and the data within them, but we're always willing to accept additional help.

We encourage the security research community or anyone to report any potential vulnerabilities in accordance with the guidelines below. Please note, John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities.

Disclosure Policy Guidelines

  • Provide detailed reports with reproducible steps. Screenshots are welcome.
  • Do not cause harm to John Deere, our customers, or others.
  • Do not compromise the privacy or safety of John Deere, our customers, or others and the operation of our services. Specifically;
    • Avoid access to data related to individuals and contact us immediately if you inadvertently encounter such data;
    • Do not alter, save, store, transfer, or otherwise access such data, and immediately purge any local data upon reporting the vulnerability to us;
    • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not violate any laws, including all privacy and data security laws.
  • Do not disclose any information about the vulnerability unless John Deere specifically approves the disclosure.
  • Only conduct research and submit potential vulnerabilities on assets or systems specifically identified as In Scope and do not conduct research on Out of Scope Vulnerabilities.
  • Do not participate in this program if you are:
    • A member of a foreign terrorist organization as designated by the U.S. Department of State;
    • A resident of or located in a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control ("OFAC"); or
    • Included on any list as a party of concern by the U.S. Bureau of Industry and Security of the Department of Commerce
  • We aim to respond to all new vulnerability reports within 5 business days and will strive to keep you informed on our progress during the process.

Safe Harbor

We agree to not pursue civil action against researchers who comply with John Deere's and HackerOne's policies regarding this vulnerability disclosure program. In the event of a conflict between this policy and any HackerOne policy, this policy applies.

Program Scope

The assets currently in scope for this program are identified at https://hackerone.com/john-deere. If you have any other information you would like to provide to our security team, please do so via the Submission Instructions, below.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Any vulnerability requiring Social Engineering or Phishing to exploit. For example, but not limited to:
    • Self\Client\Reflective XSS
    • Session Cookie Reuse
    • Open redirect vulnerabilities
    • Exception: Stored XSS vulnerabilities
  • Open ports which do not lead directly to a vulnerability
  • Reports from automated tools or scans without a working Proof of Concept
  • Physical Penetration Testing
  • Denial of Service Attacks
  • Non Deere hosted websites
  • Presence of autocomplete attribute on web forms
  • John Deere machines or equipment
  • Submission Instructions

John Deere uses HackerOne to triage and validate responsibly disclosed vulnerability reports. Please submit your report via HackerOne here.

Submitting your report via HackerOne will help ensure timely validation. If you prefer to submit a report without using a HackerOne account or you would like to provide any other information to our security team, you may do so here.