Mitsubishi Motors Corporation (hereafter referred to as the “Company”) collects and discloses information on product vulnerabilities in order to ensure the security of the Company's products and services and protect customers from cyber threats.
The Company's Vulnerability Disclosure Program (VDP) allows security researchers to identify vulnerabilities in the Company's products and report them to us.
Please check the following and communicate with us via the contact form.
1. Applicable Products
The Company's products and applications provided by the Company for connection with and use with the products (hereinafter referred to as “Applicable Products”).
The Company may not address technical vulnerabilities in some OEM vehicles (vehicles manufactured by another company and sold by the Company). Please note that, in such cases, responses may be provided by the manufacturer.
2. Product and Service Vulnerability Management
The Company has established Computer Security Incident Response Teams (CSIRTs) within departments closely related to products and services to address vulnerabilities in the Company's products and services.
The Company also collects information from a wide range of sources about vulnerabilities in the Company's products and services in order to identify and respond to risks associated with security vulnerabilities.
Vulnerabilities that the Company has already acknowledged are not subject to reporting.
3. Vulnerability Information Investigation and Countermeasures
Information about vulnerabilities reported in Applicable Product(s) (hereinafter referred to as “Vulnerability Information”) will be verified by the design and development department for the relevant product(s) and the results communicated to the party who made the report.
The Company will present and disclose necessary countermeasures and workarounds when it determines that Vulnerability Information includes a new vulnerability.
4. Rights Concerning Vulnerability Information
By making a report to the Company (including by means other than the contact form), you agree to the following:
- You guarantee that you possess appropriate rights to the Vulnerability Information and that you have not infringed upon the rights of a third party.
- You hereby grant the Company a worldwide, non-exclusive, free, sublicensable, and transferable right to use the Vulnerability Information and all related intellectual property. This includes, but is not limited to, the Company's formulation and disclosure of countermeasures and workarounds based on Vulnerability Information, product revisions and improvements, commercialization, and derivative production, sales, and distribution.
- The moral rights of the author shall not be exercised and shall not be allowed to be exercised by the author against the Company itself, those who have inherited rights from the Company, or those who have been granted rights.
- You shall not disclose any part or all of the Company's response to any third party.
5. Bug Bounty Program
Regardless of the content of the Vulnerability Information, the Company does not provide any reward (financial, products, or otherwise) to a party who reports a vulnerability.
If the Company determines that a report contributes to the discovery or resolution of a vulnerability, we will - with the agreement of the party who made the report - post an acknowledgement in the relevant security advisory on the Company's website.
In the event of multiple reports of the same vulnerability, the first party to make the report will be acknowledged.
6. Contact Form
For matters related to the Vulnerability Disclosure Program, please access the “CONTACT” page on this website, open the contact form, complete all required fields, and check the box labeled “☐ Inquiry regarding the handling of personal information, information security, or cyber security” before submitting the form.
Please note that response to unrelated inquiries may not be possible.
The responses sent by the Company are intended as responses to parties who made the reports.
Please refrain from disclosing all or any part of responses to a third party (including posting on social media and presentations at academic conferences) or using them for any other purposes such as secondary usages.
7. Handling of Personal Information
Personal information is handled in accordance with the below Privacy Policy.