Merge pull request bugcrowd#530 from bugcrowd/Automotive-category-upd…

…ates-2024

Added additional missing categories

submissions/description/ai_application_security/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/ai_application_security/llm_security/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/ai_application_security/llm_security/recommendations.md

@@ -0,0 +1 @@
+# Recommendation(s)

submissions/description/ai_application_security/llm_security/template.md

@@ -0,0 +1,26 @@
+# Large Language Model (LLM) Security Misconfiguration
+
+## Overview of the Vulnerability
+
+Misconfigurations can occur across Large Language Model (LLM) within the setup, deployment, or usage of the LLM, leading to security weaknesses or vulnerabilities. These misconfigurations can allow an attacker to compromise confidentiality, integrity, or availability of data and services. Misconfigurations may stem from inadequate access controls, insecure default settings, or improper configuration of fine-tuning parameters.
+
+## Business Impact
+
+This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Navigate to the following URL:
+1. Inject the following prompt into the LLM:
+
+```prompt
+  {malicious prompt}
+```
+
+1. Observe that the LLM returns sensitive data
+
+## Proof of Concept (PoC)
+
+The screenshot(s) below demonstrate(s) the vulnerability:
+>
+> {{screenshot}}

submissions/description/ai_application_security/recommendations.md

@@ -0,0 +1 @@
+# Recommendation(s)

submissions/description/ai_application_security/template.md

@@ -0,0 +1,26 @@
+# AI Application Security Misconfiguration
+
+## Overview of the Vulnerability
+
+Misconfigurations can occur in Artificial Intelligence (AI) applications, including but not limited to machine learning models, algorithms, and inference systems. These misconfigurations can allow an attacker to compromise confidentiality, integrity, or availability of data and services.
+
+## Business Impact
+
+This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Navigate to the following URL:
+1. Inject the following prompt into the LLM:
+
+```prompt
+  {malicious prompt}
+```
+
+1. Observe that the LLM returns sensitive data
+
+## Proof of Concept (PoC)
+
+The screenshot(s) below demonstrate(s) the vulnerability:
+>
+> {{screenshot}}

submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

submissions/description/automotive_security_misconfiguration/GNSS_GPS/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/GNSS_GPS/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md

@@ -0,0 +1,25 @@
+# GNSS/GPS Misconfiguration
+
+## Overview of the Vulnerability
+
+Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position.
+
+## Business Impact
+
+This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle.
+
+## Steps to Reproduce
+
+1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}}
+1. Connect to {{target}} by using {{application}} with {{hardware}}
+1. Inject the following payload using {{hardware}}:
+
+{{payload}}
+
+1. Observe that the GNSS/GPS signal has been spoofed
+
+## Proof of Concept (PoC)
+
+The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing:
+
+{{screenshot}}

submissions/description/automotive_security_misconfiguration/abs/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/abs/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

submissions/description/automotive_security_misconfiguration/abs/template.md

@@ -0,0 +1,23 @@
+# Automotive Security Misconfiguration - Anti-Lock Braking Systems (ABS)
+
+## Overview of the Vulnerability
+
+Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity.
+
+## Business Impact
+
+This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers.
+
+## Steps to Reproduce
+
+1. Identify the software, firmware, and network components present in the vehicle:
+{{Vulnerable component}}
+2. Analyze the configurations and settings of these components for potential misconfigurations.
+3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications.
+4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md

@@ -0,0 +1,23 @@
+# Anti-Lock Braking Systems (ABS) - Unintended Acceleration Brake
+
+## Overview of the Vulnerability
+
+Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity.
+
+## Business Impact
+
+This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers.
+
+## Steps to Reproduce
+
+1. Identify the software, firmware, and network components present in the vehicle:
+{{Vulnerable component}}
+2. Analyze the configurations and settings of these components for potential misconfigurations.
+3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications.
+4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md

@@ -0,0 +1,23 @@
+# Battery Management System - Firmware Dump
+
+## Overview of the Vulnerability
+
+Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity.
+
+## Business Impact
+
+This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers.
+
+## Steps to Reproduce
+
+1. Identify the software, firmware, and network components present in the vehicle:
+{{Vulnerable component}}
+2. Analyze the configurations and settings of these components for potential misconfigurations.
+3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications.
+4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.

submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md

@@ -0,0 +1,23 @@
+# Automotive Security Misconfiguration - Battery Management System
+
+## Overview of the Vulnerability
+
+Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity.
+
+## Business Impact
+
+This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers.
+
+## Steps to Reproduce
+
+1. Identify the software, firmware, and network components present in the vehicle:
+{{Vulnerable component}}
+2. Analyze the configurations and settings of these components for potential misconfigurations.
+3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications.
+4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration.
+
+## Proof of Concept (PoC)
+
+The following screenshot(s) demonstrate(s) this vulnerability:
+
+{{screenshot}}

submissions/description/automotive_security_misconfiguration/battery_management_system/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/automotive_security_misconfiguration/battery_management_system/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+There is no single technique to remediate automotive security misconfigurations. However, implementing the right combination of defensive measures can prevent and limit the impact. Some best practices include the following:
+
+- Develop and enforce secure configuration guidelines for the automotive system, incorporating guidelines for software, firmware, and network settings.
+- Ensure that the vehicle's firmware is regularly updated with security patches and fixes to address known vulnerabilities and misconfigurations.
+- Conduct regular security audits and assessments of the vehicle's configurations to identify and remediate any misconfigurations. Follow industry best practices and benchmarks for these.