Cybersecurity is a top priority at Volvo Cars. We are committed to the principles of Coordinated Vulnerability Disclosure (CVD) which allow us to evaluate privately reported vulnerabilities, assess information and take corrective measures (if needed) as soon as possible.

Scope

This guideline provides information on how to report a potential cybersecurity vulnerability or weakness in Volvo Cars products, solutions or services. This guideline does not grant any right to test, tamper, alter or impact a Volvo Cars product or service.

We do not operate any public bug bounty program and offer no reward for submissions.

When and how to contact us?

Volvo Cars Security Incident Response Team (SIRT) is responsible for collecting information about potential vulnerabilities in products, solutions and services of Volvo Cars.

The SIRT is composed of two sub-teams, organized according to the technical area. If you identify a potential security vulnerability, please contact one of the following teams:

Computer Security Incident Response Team (CSIRT).

• Scope: IT infrastructure and Volvo Cars global web applications

• Contact information : seccontr@volvocars.com

Product Cybersecurity and Incident Response Team (PSIRT)

• Scope: Volvo Cars products and solutions (i.e., the vehicles and connectivity services)

• Contact information : psirt@volvocars.com

What shall the report contain?

In order for Volvo Cars to process your report, you shall include the following information (if available).

Contact information: Your name, phone number (including country code) and organization (if applicable).

Volvo Cars product(s)/solutions(s): Where applicable, VIN (Vehicle Identification Number) and, if possible, name of hardware / software of the affected components or services.

Volvo Cars IT system(s): If the report concerns IT systems, you should include the URL or IP address. Description: A detailed technical description of the identified potential vulnerability.

Description: A detailed technical description of the identifield potential vulnerability.

Attachment(s): Please do not attach any files to your initial report (our mail filters might detect your mail as spam).

If there is a need to exchange files and ensure confidentiality, we encourage you to encrypt any sensitive information you send to us via e-mail using the PGP key provided below. Please, do not forget to include your own public key in the email.

CSIRT PGP key fingerprint:

06A0 5827 A51B F2CF B1D1 8A69 F6F7 0F08 74A5 F5C3

CSIRT PGP key in a text file (VolvoCars_CSIRT_public_key.txt)

PSIRT PGP key fingerprint:

81E6 C7F3 97A1 F225 993A F52A C3F7 FD3B 1CBA 3C19

Link to the PSIRT PGP key in a text file (VolvoCars_PSIRT_public_key.txt)

How do we handle your report?

Step 1

The SIRT will respond to your vulnerability report by acknowledging that the report has been received and by establishing communication with you, for further exchange of information (if so required).

Step 2

The reported potential vulnerability will be investigated and coordinated by relevant part of the Volvo Cars organization, including the Data Protection Organization if personal data might be affected. If necessary and subject to confidentiality obligations and other legal obligations, Volvo Cars' suppliers and co-operation partners will be informed about the report and provided with appropriate details. In some situations Volvo Cars is obliged to without delay disclose the matter to the general public. To the extent possible, SIRT will keep you informed about the investigation / coordination progress.

Step 3

The SIRT will share with you appropriate details about the conclusions of the investigation / coordination once it has been concluded and/or corrective measures have been taken. If needed, details will also be shared with Volvo Cars' suppliers and co-operation partners

How do we handle your personal data?

This section describes how Volvo Cars processes your personal data when you contact and report a vulnerability to us (hereinafter “Vulnerability Reporting”).

Who we are?

This section describes how Volvo Cars processes your personal data when you contact and report a vulnerability The entity responsible for the processing of personal data in relation to Vulnerability Reporting is Volvo Car Corporation, having its registered office at Assar Gabrielssons Väg, SE-405 31, Gothenburg, Sweden, company registration number 556074-3089, hereinafter referred to as “Volvo Cars”, “we”, or “us”.

What personal data do we collect and why?

While reporting a vulnerability to us, we will process the following categories of personal data:

• Your name, phone number (including country code) and organization (if applicable). This data is used in order for Volvo Cars to contact you during the investigation / coordination.

• Any information provided by you relating to the reported vulnerability, herein included, but not limited to VIN, etc.

• Any information obtained during the communication between Volvo Cars and you in relation to the Vulnerability Reporting.

How long do we keep your data?

The collected data is kept for a period of 1 year after the vulnerability investigation / coordination has been concluded. We will however keep on our systems the conclusions of the investigation / coordination in an anonymized format.

Who do we share your personal data with?

We will share your personal data with the following categories of third parties, on a need-to-know basis:

• Our service providers (processors) supporting Volvo Cars’ activity in general, such as providers of IT solutions

• Companies within the Volvo Car group – for managing vulnerabilities relating to their systems.

Transfers of data to these third parties which may be established outside of EU/EEA is done by using Standard Contractual Clauses adopted by the European Commission pursuant to Art. 45 General Data Protection Regulation (GDPR), or subject to appropriate and adequate safeguards for data transfer pursuant to Art. 46 f. GDPR, or on the basis of the derogations under Art. 49 GDPR.

What are your rights?

You have specific legal rights granted by the GDPR relating to the personal data we process about you. You can withdraw your consent or object to our processing of your data, access the data we hold about you, ask for rectification or restriction of your data, request to have your data ported to another entity, request that we delete your data, and finally you can file a complaint with a data protection supervisory authority.

Details about your rights – what they mean, when and how you can exercise them - can be found in our Customer Privacy Policy – see Section 5 “Your Rights in Relation to the Data Processing We Perform”.

Contact information

In order to exercise your rights, please use the applicable web form available in the Customer Privacy Policy mentioned above. If you have any other questions regarding the subject matter of personal data protection, you can contact us at:

Volvo Car Corporation

Postal address: Volvo Car Corporation, Assar Gabrielssons Väg, SE-405 31 Gothenburg, Sweden

E-mail address: globdpo@volvocars.com

We reserve the right, at our discretion, to modify our privacy practices, update and make changes to this section and the Customer Privacy Notice, at any time. For this reason, we encourage you to refer to this section or the Customer Privacy Notice on an ongoing basis. This privacy notice is current as of the date which this guideline was published. We will treat your personal data in a manner consistent with this section, under which they were collected, unless we have your consent to treat them differently.

Media or PR inquiries regarding Volvo Cars Security Vulnerability Information.

Please contact corporate communication: media@volvocars.com