Product Security
Product Security
Horizon Robotics values and encourages security research on our products and services. To report a potential security vulnerability in any Horizon Robotics product or service, please submit your report via email to: report_vulnerability@horizon.auto.
When reporting a potential vulnerability via email, please encrypt the message using Horizon Robotics’ public PGP key (insert key link) and include the following information:
1. Affected product or driver, including versionor or release;
2. Vulnerability type (code execution, denial of service, buffer overflow, etc.);
3. Steps to reproduce the vulnerability;
4. Proof of concept or exploit code;
5. Potential impact, including how an attacker could exploit the vulnerability.
In-scope products or services
Prior to conducting vulnerability testing on Horizon Robotics' hardware, operating systems, or public networks, please review the authorized scope in advance.
Authorized scope:
• Horizon Robotics' products publicly released to external users:
Horizon Journey™ Series / Journey™ 6 Series
Horizon Mono™
Horizon SuperDrive™
Horizon OpenExplorer™
Horizon Matrix™
Horizon QoHo™
Horizon AIDI™
Horizon TogetheROS™
BPU™
• Horizon Robotics Web Sites:
• Horizon Robotics GitHub repositories:
The following activities are strictly prohibited:
Social engineering attacks, including but not limited to attempts to steal cookies, spoof login pages to collect credentials, or conduct phishing activities;
Resource exhaustion attacks, including but not limited to SMS bombing (exceeding 1,000 messages) or email bombing;
Downloading, accessing, or obtaining Horizon Robotics' internal materials, source code, programs, or any non-public data;
Denial-of-service (DoS) attacks against web-based services;
Internal network penetration, lateral movement, or backdoor implantation;
Unauthorized access to internal-use servers, such as OA systems or internal Git repositories;
Supply chain attacks, including attempts to compromise Horizon Robotics via distributors or other supply chain partners within Horizon Robotics' supply chain.
Security Advisories and Vulnerability Disclosure
In general, Horizon Robotics will notify relevant parties of confirmed vulnerabilities and available fixes or security updates. Notifications may be delivered through targeted communications or by publishing security advisories. Before publishing an advisory, Horizon Robotics will complete the vulnerability response process and ensure that sufficient software updates or workarounds are available, or will plan to disclose mitigations alongside the advisory.
Horizon Robotics security advisories typically include (where applicable):
1. Affected products and versions;
2. Horizon Robotics vulnerability identifier;
3. Vulnerability deion and a brief statement of potential impact;
4. CVSS severity rating (see https://www.first.org/cvss/user-guide.html);
5. Remediation details, such as security updates, mitigation measures, or other customer-required actions;
6. Acknowledgement of the reporter.
Beyond what is provided in security advisories and related documentation, Horizon Robotics does not provide additional vulnerability details.
Subject to applicable national laws, regulations, and standards, and consistent with industry practice, Horizon Robotics shall not disclose the results of internal security testing or other security-related activities to any external party. Please note: Any unauthorized scanning of Horizon Robotics’ security production systems shall be treated as an attack.
If you are an OEM partner, please coordinate any requests with your designated Horizon Robotics project manager. If you are a cybersecurity researcher, you must conduct vulnerability scanning strictly within the authorized scope of products or services.
Horizon Robotics’ dedicated security team will review submitted vulnerability reports and will make reasonable efforts to remediate confirmed issues in a timely manner. To encourage responsible reporting, Horizon Robotics will not initiate legal action or request law enforcement to investigate reporters, provided that all of the following responsible disclosure guidelines are followed:
Submit detailed information, including reproduction and verification steps, and proof of concept (PoC). Vulnerabilities affecting in-vehicle functions must be reported within 168 hours (7 days) after identification.
Make good-faith efforts to avoid privacy violations, data destruction, or disruption or degradation of Horizon Robotics' services.
Do not modify or access data that does not belong to you.
Allow Horizon Robotics reasonable time to remediate the issue before disclosing any information publicly.
Only modify vehicles you own or are authorized to access.
Do not endanger vehicle safety or put others at risk.
Ensure that all security research activities are strictly limited to the authorized scope of products or services.
Disclaimer
Pursuant to the Cybersecurity Law of the People’s Republic of China, the vulnerability reporting channel provided on this website is intended to encourage security professionals and the public to participate in maintaining cybersecurity by promptly identifying and reporting vulnerabilities. This channel does not constitute any promise or guarantee by Horizon Robotics. Horizon Robotics makes no warranties regarding the accuracy, completeness, or validity of any information or data submitted through this channel, and shall not be liable for any direct or indirect losses resulting from inaccurate, incomplete, or invalid information.
This website will take reasonable measures to protect the confidentiality of reporters’ personal data and report content. However, where required by applicable laws or regulations, or for the purposes of conducting necessary security investigations, we may disclose relevant information to competent authorities or institutions. In such cases, Horizon Robotics will act in accordance with applicable laws to ensure the lawful and compliant use of the information.
Horizon Robotics will use reasonable efforts to safeguard the cybersecurity and data security of this website, but due to inherent technical limitations, Horizon Robotics assumes no liability for any direct, indirect, incidental, special, or consequential losses arising from the use of this reporting channel, including, without limitation, losses resulting from information leakage, system errors, data loss, or any other issues related to the reporting channel.
Reporters are responsible for ensuring that submitted reports are truthful, accurate, and complete, and comply with the Cybersecurity Law of the PRC and other applicable laws and regulations. Reporters shall bear all legal liability arising from the submission of false, inaccurate, or unlawful report content.
The application, interpretation, and dispute resolution of this disclaimer shall be governed by the laws of the People’s Republic of China (Mainland China). In the event of any dispute arising from or in connection with this disclaimer, the parties shall first seek to resolve the dispute through amicable consultation.
