Report a vulnerability
If you have information related to security vulnerabilities of Marelli products or services, we want to hear from you.
Please submit a report in accordance with the guidelines below.
We value the positive impact of your work and thank you in advance for your contribution.
To submit a report, please email us at vulnerabilities@marelli.com and follow the guidelines below:
- Send us your personal details: Name, Surname, Company, Country and, if possible, please provide a telephone number where we can contact you back in case we have any questions.
- Submissions must include:
- Written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.
- A summary of the vulnerability identified.
- The name of the Marelli product investigated.
- The list of tools, both hardware and software, used to identify the vulnerability.
- The classification of the vulnerability, which includes:
- the level of damage (Severe, Major, Moderate, Negligible with description) for the scenarios “Operational,” “Financial,” “Privacy,” and “Safety.”
- the score for each Base CVSS v3.1 vector’s component and the attack feasibility score, associated according to Table I.9 of Annex I of ISO SAE 21434.
- The time spent from the start of the research activities to the identification of the vulnerability.
When reporting vulnerabilities, you must keep all information between you and Marelli. Do not post information to video-sharing or sites. Videos and images can be sent directly to Marelli in addition to the report.
For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you have reported until the fix has been publicly made available.
Only submission written in English will be considered.