Rules
Marelli agrees to not pursue civil claims against security researchers related to the disclosures submitted through this program who:
- do not cause harm to Marelli, our customers, or others.
- provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (the detailed summary will allow us to reproduce the vulnerability).
- do not compromise the privacy or safety of our customers and the operation of our services. Specifically:
- contact us immediately if you inadvertently encounter user data.
- do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to Marelli.
- act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
- comply with all applicable laws.
- do not violate any other law (other than those that would result only in claims by Marelli) or disrupt or compromise any data or vehicle that is not their own.
- publicly disclose vulnerability details only after Marelli confirms completed remediation of the vulnerability and not publicly disclose vulnerability details if there is no completion date or completion cannot be ascertained.
Out of scope
The following is the list indicating what is considered out of scope.
- Issues without clearly identified security impact.
- Speculative reports about theoretical damage without concrete evidence or some substantive information indicating exploitability.
- Social engineering of Marelli employees or contractors.
- Any physical attempt against Marelli data centers.
- Denial of Service attacks against Marelli’s websites and infrastructure.
- Open ports which do not lead directly to a vulnerability or to a disclosure of information.
- Non-Marelli products.