John Deere's Response to a Researcher's Vulnerability Disclosure

Karamba Security | May 2nd, 2021

John Deere’s cybersecurity response to a discovered vulnerability was good. But a vulnerability on one of their six-figure autonomous farm vehicles that affects safety could be much worse.

John Deere’s website and owner application has been “hacked” by researcher SickCodes. Their cybersecurity response to the responsible disclosure was good: Within a week from notification they fixed issues and allowed publication of past vulnerabilities.

Two things that caught our eye were the fact that before this, John Deere had NO vulnerabilities (CVEs) published, and the fact that, according to the hacker, they had no externally-facing Vulnerability Disclosure Program. The researcher who found, responsibly disclosed, and later published the vulnerability was not happy with their response to his claims (since he got no bounty, and their Vulnerability Disclosure Program was created on the fly when he let them know about the bugs), yet even he commended them on the overall response.

As observers from the sidelines, we wish that all organizations who do not yet have a bug disclosure program in place would react as efficiently and responsibly as John Deere did.

When you read Lane Arthur’s interview on’s Technology News, you can see how the company was able to respond well; They are already well along their digital journey: they have 3rd-party partners for APIs using and enhancing data collected from their machines, timely releases and OTA distribution, security awareness with their developers, and a full-time Product Security team.

The impact of the vulnerability found on the John Deere website and application could have been leakage of owners’ personal data. A vulnerability on one of their six-figure autonomous farm vehicles that affects safety could be much worse.

The hacker attack led Joh Deere to accelerate their readiness for UN R155 (WP.29) by enabling their vulnerability disclosure program – a step towards an end-to-end security management system, as dictated by UN R155.

Read more

Continue the conversation!

Want to learn more?

Contact Us


24 HaNagar Street
Hod Hasharon
Tel: +972 9 88 66 113



41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA



Landstr. 264, Munich
Tel: +49 892 1547 7583