Skip to content Skip to navigation Skip to footer

Responsible Disclosure

Polaris values security and privacy and takes potential issues very seriously.  We value our research partners and their efforts to improve cybersecurity and privacy.

Reporting Guidelines


Reporters’ methods to research vulnerabilities must not cause harm to Polaris Industries Inc, customers, or others.


Reporters must comply with all applicable laws and regulations related to vulnerability disclosure.


Reporters must not publicly disclose vulnerability details until after confirmation of completed remediation of the vulnerability.  Disclosed vulnerabilities which a remediation date is not given cannot be publicly disclosed.


Act in good faith to avoid destruction of data, disruption of services, release of private and sensitive information of customers and Polaris IP, disruption of operations.


Once disclosed, activities related to the disclosure on vulnerable systems must cease.


If a reporter discovers PII during their research, they must immediately report their finding to Polaris with details required to identify the PII that was discovered and steps which were take that revealed.


If a discovery will potentially place a vehicle in an unsafe operating condition, reporter should immediately stop operating the vehicle and pursue safe methods to continue research.


Report Content


Reports which indicate issues with vehicle, vehicle subsystems, or systems a vehicle connects with must contain enough content to evaluate potential vulnerabilities. Inclusion of the following information is paramount to analyze the vulnerability (this is not an exhaustive list):

  • Model Number
  • Logs
    • CAN
    • Network
    • Application
  • Images
  • Video/Links to Videos
  • VIN
  • Reproduction Steps
  • Connected URL’s

 


Reporting Process


All reports will be submitted to security@polaris.com.


Polaris will respond with acknowledgement within 7 days of receipt.


Polaris will follow up with report summary and request for additional information once the report has been triaged and content analyzed.  This communication will be a dialog with between reporter and Polaris.


Polaris will communicate remediation plan once it is developed along with a timeline for when the remediation will be in effect.

 


Out of Scope Disclosures


Discovered items without a clearly identified security impact such as missing security headers or verbose error messages.


Password complexity requirements.


Any infrastructure not directly managed directly by Polaris Industries Inc.


Reports which are solely from automated tools or scans which are common within the industry.


Login panels to Polaris resources that are publicly available.


Social engineering of Polaris employees or contractors.


Physical vulnerabilities at any Polaris facility.


Reports where results are generated without concrete evidence indicating a vulnerability.

Reports indicating a failure of using best practices only.


Reports which only indicate the use of a library or software with known vulnerabilities without a proof of concept or evidence of how it may be exploited.