Vulnerability Disclosure Policy | Security and privacy are core to our values | Fisker, Inc.

Vulnerability Disclosure Policy

1. Introduction

Security and privacy are core to our values, and we value the input of hackers and security researchers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

Fisker Group Inc. (“Fisker”) recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our coordinated vulnerability disclosure program.

The Fisker Product Security Incident Response Team (PSIRT) manages the receipt, investigation and internal coordination of security vulnerability information related to Fisker offerings. This team will coordinate with Fisker product and solutions teams to investigate and, if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.

Fisker will aim to respond to new reports within 5 business days.

Please Note: report status marked as triaged is subject to change pending the responding team’s final analysis.

2. Guidelines

Initially, this Program Policy is limited to exploitable security vulnerabilities and CVE’s found in the products that Fisker currently markets.

  • Please see the list of In Scope Products section below.

As we expand our Vulnerability Management Program, we will add more Fisker products to this list.

To be eligible to participate in this program, you must not be under contract to perform security testing for Fisker directly or indirectly through one of Fisker’s retained service providers or suppliers.

Only report vulnerabilities for Fisker products that are currently in support.

  • Check the “In Scope” section below for the product list.

  • Only the current release and the previous release of any of these products are covered by this program.

To protect our customers, Fisker does not publicly disclose or confirm security vulnerabilities until Fisker has conducted an analysis of the product, issued fixes and/or mitigations, and have verified our customers are free of any threat.

By submitting a vulnerability report to Fisker, you agree to not publicly disclose or share the vulnerability with any third party until Fisker confirms that the vulnerability has been remediated or you have received written permission from Fisker to publish information about the vulnerability.

For Fisker to evaluate your vulnerability report, you agree to provide the following information about your finding:

  • Your email address (required)

  • Your public PGP key (required)

  • Details on the software product and version (if known)

  • Event Details

    • Vehicle Model

    • VIN #

    • Manufacturer Year

    • General date and time of occurrence (please include time zone)

    • A description of the issue

    • The hardware platform (if known)

    • steps to reproduce the issue

    • potential impact

    • See section “How to Submit a Security Vulnerability”.

  • Do not include any vulnerability information that may identify an individual (such as a name, contact information, IP address or other similar information) in any attachments included in your vulnerability report.

3. How to Submit a Security Vulnerability

Fisker defines a security Vulnerability as:

  • A weakness or flaw in a product or service that could allow an attacker to compromise the integrity, availability, or confidentiality of the product or service.

We welcome any vulnerability reports that are completed and submitted in good faith. To this end, we expect the following:

  • The intent of your testing is not to cause commercial or other harm to Fisker and/or its customers.

  • Fisker proprietary information, customer information, or Personally Identifiable Information captured during the discovery of the vulnerability will never be publicly disclosed.

  • No applicable domestic or international laws were violated prior, during or after the discovery of the vulnerability reported to us and in relation to said vulnerability.

If you are in doubt regarding meeting these expectations, please use the contact details below to reach out and discuss further.

In Scope Vulnerability reports may be PGP encrypted and sent to:

Our Public PGP Key may be found here:

Upon receiving a vulnerability report, we commit to:

  • Contact the reporter of the vulnerability to acknowledge receipt as soon as possible, within 5 business days

  • Triage and validate the vulnerability and drive remediation efforts internally and in concert with our affected products. Time to resolution will depend on the severity and complexity of the vulnerability.

  • Follow up with the reporter upon validation of the vulnerability.

Note: Fisker does not currently sponsor a formal bug bounty program but may recognize and/or reward security researchers for vulnerability reports at Fisker’s discretion. Fisker appreciates the contributions that security research community members make to the development of our products.

4. In Scope Products

The Fisker Vulnerability Management program is limited to the current release and previous releases of the products listed below:

  • Fisker Ocean Vehicle

  • Fisker Mobile Application

  • Fisker Cloud Applications

5. Out of Scope

The following submissions are not accepted as part of this program:

  • Clickjacking on pages with no sensitive state changing actions.

  • Unauthenticated/logout/login CSRF.

  • Previously known vulnerable libraries without a working Proof of Concept.

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.

  • Best practices that do not lead to an actionable vulnerability or do not have a CVE.

  • Any activity that could lead to the disruption of our service (DoS).

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.

  • Publicly known data meant to be accessed by anyone.

Please Note: if you find a directory listing and explain how it can lead to a malicious exploit then we'll accept it after review.

6. Legal Notice

By submitting a vulnerability report to Fisker, you agree that Fisker may use any information provided by you in such report for any Fisker business purpose (including but not limited to reproduction of the vulnerability, remediation of the vulnerability and general development purposes), without requiring consent from or payment to you.

Also, it is important that you notify us if any such information or associated intellectual property is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.

Thank you for helping keep Fisker and our customers safe!

7. Contact

Please encrypt the content of all your messages with the PGP key below and include your own public key in your communications with Fisker PSIRT.

psirt@fiskerinc.com

PGP Public Key:

https://keys.openpgp.org/vks/v1/by-fingerprint/66B7BA9B1CF7E35499C2BB26C6E0DDFBF9BC5F93

PGP key fingerprint:

66B7 BA9B 1CF7 E354 99C2 BB26 C6E0 DDFB F9BC 5F93