Cybersecurity Vulnerabilities

Rivian is dedicated to a secure and safe relationship with its customers which extends to all technology on Rivian websites, applications, products, or platforms. Our website has General Terms and Conditions(“Rivian Terms”) and all users are required to follow those Rivian Terms in any use of our products, applications, or websites. We understand that customers or security researchers may identify security vulnerabilities or other issues with our website and products. We encourage anyone who becomes aware of any issues to immediately notify us at vulnerability@rivian.com.

We will investigate your security vulnerability submissions (“Vulnerability Report”) and make best efforts to quickly address any security vulnerabilities. To encourage responsible submission of Vulnerability Report(s), we will not take legal action against you under the Computer Fraud and Abuse Act (“CFAA”), Digital Millennium Copyright Act (“DMCA”), or similar law, nor request law enforcement to investigate you, and consider your actions in a Vulnerability Report as “authorized” on the condition that you comply with the following guidelines:

• Do not intentionally or indirectly violate our Rivian Terms.

• Provide documentation and details of the vulnerability, including information needed to reproduce and validate the vulnerability.

• Do not attempt to sell this information for monetary gain.

• Do not modify or access any data or accounts that do not belong to you.

• Do not conduct post-exploitation activities, including but not limited to, any modification or destruction of data, privacy violations, or cause any interruption of Rivian software or services.

• You are not authorized to perform any brute-force attack(s) or denial-of-service attack(s).

• Do not compromise the safety of a vehicle or expose others to an unsafe vehicle conditions.

• Do not disclose vulnerability details to third parties until Rivian remediates the vulnerability

• Not be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g. Cuba, Iran, North Korea, Sudan and Syria).

• Not be a person designated on the U.S. Department of the Treasury’s Specially Designated Nationals List.

By disclosing a Vulnerability Report to Rivian, you give Rivian, without charge, royalties or other obligation to you, the right to make, have made, create derivative works, use, and/or share your Vulnerability Report in any way and for any purpose. Please do not provide Rivian with any Vulnerability Report that is subject to a license which requires Rivian to license software, technology, or documentation from a third party.

Rivian encourages participation from security researchers in our public bug bounty program to help ensure the security and integrity of our connected ecosystem. We offer rewards for the responsible disclosure of eligible vulnerabilities. Please refer to the Rivian Bug Bounty page for full program details, including scope, reward tiers, and submission guidelines.