Yamaha Motor Group Vulnerability Disclosure Program (VDP)
Yamaha Motor Co., Ltd. and the Company’s group companies (collectively, the “Group”, “we”, “us”, and “our”) strive to collect and disclose product vulnerability information to ensure the security of our products and services, and to protect our customers from cyber threats.
Our Vulnerability Disclosure Program (VDP) is a structured framework for security researchers to identify and submit security vulnerabilities to us.
1. Vulnerability Management for our Products
We have established the PSIRT (Product Security Incident Response Team) to handle vulnerability information relevant to the Products.
We strive to collect and disclose product vulnerability information to ensure the security of our products, and to protect our customers from cyber threats.
2. Scope
Our products, applications provided by us that are used in connection with our products (“Products”)
3. Exclusions
We do not accept the reporting of the following vulnerabilities:
- Vulnerabilities in third-party systems that integrate with or are associated with the Products
- Vulnerabilities that require physical destruction or unauthorized modification of the Products
- Vulnerabilities of which we are already aware and have initiated the remediation process
- Social engineering attacks
- Volumetric/Denial of Service vulnerabilities
- Vulnerabilities with low security impact or low exploitability
- Vulnerabilities that can be discovered by vulnerability testing tools but have not been manually verified
- Software vulnerabilities related to currently unsupported Products
- Non-cyber security issues of the Products
4. Bug Bounty Program
Regardless of the nature of the vulnerability information regarding the Products ("Vulnerability Information"), there is no reward for those who report the Vulnerability Information ("Reporter").
5. How we Handle Vulnerability Information
We aim to notify the reporter of our receipt of the initial report within 5 business days.
Please understand that there may be delays in receipt confirmation due to our business holidays.
The reported Vulnerability Information is reviewed by our technical team, and then we provide feedback to the Reporter.
6. Measures to Vulnerabilities
If we determine that a submitted Vulnerability Information describes a new vulnerability, we strive to provide countermeasures and/or workarounds as needed.
7. License to Reported Vulnerabilities
In reporting Vulnerability Information to us, the Reporter agrees to the following:
- Reporter represents and warrants to us having the lawful right to report the Vulnerability Information to us and the vulnerability information does not violate the rights of others.
- Reporter shall not exercise, and shall not allow the author to exercise, any moral rights against us or any person who has succeeded to or licensed rights from us.
- Reporter grants us a worldwide, non-exclusive, royalty-free, sublicensable and transferable right to use the Vulnerability Information and intellectual property rights related to it.
This includes, but is not limited to, developing and publishing vulnerability countermeasures and workarounds based on the Vulnerability Information, modifying and improving our products, commercializing and producing derivative works, and selling and distributing them. - Reporter shall not use or disclose to others any part or all of the content of our response.
8. Administrator of this VDP
- Yamaha Motor Co., Ltd.
- 2500 Shingai, Iwata-shi, Shizuoka-Ken, 438-8501, Japan
psirt@yamaha-motor.co.jp
Please be aware that inquiries to this email address are limited to inquiries related to this VDP. If we receive an unrelated inquiry, we may not be able to reply.
The replies that we send to customers are intended to send to individual customers for the purpose of answering their inquiries.
Please refrain from disclosing part or all of our responses to others or using them for any other purpose, including secondary use.
9. Handling of personal information and contact for inquiries
Personal information is handled in accordance with the following Global Privacy Policy. (If there is a description of the target country, it corresponds to that)
