Report Potential Security Vulnerabilities

Caterpillar investigates all credible reports of cybersecurity vulnerabilities that may affect Caterpillar’s products or services. If you believe that you have information about a potential cybersecurity vulnerability related to a product or service offered by Caterpillar or its affiliates, please notify us by sending an email to ProductSecurity@cat.com with the subject line “Potential Vulnerability Report.” 

Please include the following information in an attached document to the email:

  • Product type, model and/or version;
  • Details of the vulnerability, including the type of vulnerability (e.g., vulnerabilities related to input validation, credential management, etc.);
  • Information needed to reproduce and validate the vulnerability, including Proof of Concept code used for exploit;
  • Perceived impact(s) of issue, including how an attacker could exploit the issue;
  • Any additional contact information we may need; and
  • Any other pertinent details.

We strongly recommend that submitters encrypt the attachments containing the requested information above via PGP. Caterpillar’s public PGP key can be found here. You should receive a confirmation of receipt within 72 hours. If for some reason you do not receive such a response, please follow up with us to ensure that we received your original message. 

We value the positive impact of your work and thank you for notifying Caterpillar of this matter.

Issues that are considered out of scope for this submission (including but not limited to):

  • Physical configuration issues
  • Facility security gaps
  • Phishing attacks
  • Web application configuration gaps
  • Website vulnerabilities
  • Equipment damage through physical harm
  • Operational efficiency issues
  • Descriptive error messages (e.g. stack traces, application or server errors)
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Clickjacking and issues only exploitable through clickjacking
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Lack of Security Speedbump when leaving the site
  • Weak Captcha/Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers#):
  • Strict-Transport-Security
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
  • Content-Security-Policy-Report-Only
  • TLS/SSL issues
  • Denial of Service attacks