BugHunters — Bug Bounty Platform
    Back to Programs
    Tesla

    Tesla

    Mobility

    Electric vehicle and clean energy company known for its connected car software, autonomous driving systems, and energy products.

    https://tesla.com

    Max Reward

    $15,000

    Total Paid

    $2,800,000

    Resolved

    187

    Avg Response

    5 days

    In-Scope Assets

    tesla.com

    Website, owner portal, and vehicle ordering system

    Tesla App

    Mobile app for vehicle control and monitoring

    Vehicle Software

    In-car infotainment and connectivity systems

    Charging Network

    Supercharger network APIs and authentication

    Out of Scope

    • Physical vehicle attacks requiring disassembly
    • Factory systems
    • Solar/Powerwall hardware

    Severity Levels & Rewards

    Critical

    RCE, authentication bypass, privilege escalation, fund extraction

    High

    Stored XSS, CSRF with impact, API abuse, data manipulation

    Medium

    Reflected XSS, data leakage, logic flaws, information disclosure

    Low

    Verbose errors, minor config issues, low-impact info disclosure

    Active Bounties (2)

    IDTitleSeverityStatusRewardSubmissions
    TSLA-001Vehicle API command injection via crafted trip name
    High
    Open
    		$5,000–$15,0000
    TSLA-002Authentication bypass in Supercharger session management
    Critical
    In Review
    		$10,000–$15,0001

    Rules of Engagement

    • Do not access, modify, or delete data belonging to other users.

    • Do not perform denial-of-service attacks or automated scanning at high volume.

    • Report vulnerabilities promptly and provide sufficient detail to reproduce.

    • Allow reasonable time for fix before public disclosure (90 days).

    • Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.