Security Vulnerability Reporting Policy
tesla.comAnd? Lots of companies do; it's a best practice.
I thought it was an interesting position for what is ostensibly a car company to take. If this is common for car companies, who are more and more becoming software companies, I was unaware.
Also, personally I’m a big fan of yours.
Yep. Also lots of companies that should do it, but doesn’t.
The title on this story changed long after I wrote this; the original title was something like, "Tesla accepts reports encrypted to a PGP key."
at least they posted the public key instead of the private one like adobe: https://arstechnica.com/information-technology/2017/09/in-sp...
> Priority will be granted to encrypted reports – please include your PGP public key with such reports.
Is this a common thing? Why should they give priority to encrypted reports?
It could be a somewhat arbitrary bar to separate the wheat from the chaff. If they get a lot of questionable submissions, prioritizing encrypted submissions means prioritizing submitters who at least know enough to use encryption.
To encourage people to use encryption?
Shouldn't they give priority to unencrypted ones since they're ostensibly more likely to be publicly exposed?
Also a bug bounty: https://bugcrowd.com/tesla