Lucid Motors disputed claims by an automotive security researcher that its vulnerability disclosure program had been inactive since mid-2025, saying the “paused” status displayed on the platform was inaccurate.
The company has since fixed a broken link flagged by the researcher.
However, the restored program only lists www.lucidmotors.com as in scope for security testing — not vehicles or related infrastructure.
The Bugcrowd page explicitly states that “All Internal Applications” are out of scope, and any vulnerabilities found on targets not listed “will be ineligible for rewards.”
Saturday: Researcher Raises Alarm
X user ‘greentheonly,’ a security researcher with nearly 90,000 followers who specializes in automotive software analysis, called Lucid “a huge security trainwreck” in a post on Saturday.
“How do people report this stuff and does Lucid even care anymore?” he wrote on the social media platform.
The researcher noted that Lucid‘s Bugcrowd program had displayed a paused status since mid-2025, while the company’s official vulnerability disclosure page at lucidmotors.com/legal/legal#vdp returned a 404 error reading “This page got unplugged.”
Monday Morning: Lucid Responds
Vice President of Communications Nick Twork responded to the report in a statement to EV on Monday.
“The ‘paused’ message being displayed on the reporting page is not reflective of our actual status with Bugcrowd, and we’re actively working with them to correct it,” Twork said.
“Our team confirms we’ve been active in the program since 2022, so the implication that it’s been inactive is inaccurate.”
When the researcher pointed out that Bugcrowd disables reporting functionality when a program shows as paused, Twork offered a temporary workaround.
“Will be back up soon. In the meantime, DM me and I’ll share contact info,” the VP wrote on X.
Hours later, Twork confirmed the broken link had been restored.
“Link fixed, thanks for bringing this to our attention,” he wrote.
New Concern: Scope Limitations
Despite the fix, the researcher raised questions about what the restored program actually covers.
“Thank you. Now that’s showing just the website as in scope, I hope that’s just another omission and actual problems with the cars and related infrastructure are also in scope?” the user questioned.
Lucid had not responded to the scope question as of publication time.
EV has contacted the company to comment on the matter and will update this story once an answer is provided.
The restored Bugcrowd page confirms only www.lucidmotors.com is listed under “In Scope Targets,” categorized for Gatsby, ReactJS, and website testing.
The page states: “Testing is only authorized on the targets listed as in scope. Any domain/property of Lucid Motors not explicitly listed in the targets section is out of scope. This includes any/all subdomains not listed above.”
Background
EV reported Monday that Lucid‘s Bugcrowd program had displayed a paused status since July 15, 2025.
The program had accepted 197 vulnerabilities since its launch in April 2022.
The dormant cybersecurity program added to concerns as Lucid addresses broader software challenges.
Earlier this month, the EV maker fired “more than a handful” of software staff as the company scrambles to fix persistent issues with its both models.
Emad Dlala, formerly senior vice president of powertrain, assumed responsibility for all software and digital systems in November after Lucid let go of its Product Chief Eric Bach.
Earlier this month, the company’s interim CEO Marc Winterhoff said a major software overhaul is planned for this Fall.
