EV maker Lucid Motors has left its cybersecurity vulnerability disclosure program inactive for more than six months, leaving security researchers without a formal channel to report flaws in the electric vehicle maker’s software.
The company’s Vulnerability Disclosure Program on Bugcrowd, a platform that allows researchers to ethically report security bugs, has been paused since July 15, 2025.
The program had accepted 197 vulnerabilities since its launch in April 2022.
The dormant cybersecurity program adds to concerns as Lucid prepares to launch a mid-size SUV later this year, with the company under pressure to increase sales of its premium vehicles.
X user ‘greentheonly,’ who has nearly 90,000 followers and specialises in automotive software analysis, called Lucid “a huge security trainwreck” in a post on Sunday.
“How do people report this stuff and does Lucid even care anymore?” he wrote.
The researcher noted that Lucid‘s website directs users to the Bugcrowd page for vulnerability reporting, but the official link at lucidmotors.com/legal/legal#vdp now returns a 404 error page reading “This page got unplugged.”
“All my connections that were related said all programs were discontinued some time ago too,” the X user added on his Sunday post.
Software Turmoil
The dormant security program comes amid broader software challenges at the Newark, California-based EV maker.
Earlier this month, interim Chief Executive Officer Marc Winterhoff said he had fired several members of the software team.
A Lucid spokesperson told InsideEVs the number of people affected was “more than a handful.”
Both the Lucid Air sedan and Gravity SUV have encountered numerous software issues throughout 2025 despite several over the air updates, leading the company to create a dedicated feedback channel in December.
“We know how important software quality and reliability are to you,” Vice President of Communications Nick Twork said at the time.
“That’s why we’ve set up a dedicated team to listen and respond to your feedback. If you encounter any software issues, please let us know directly at [email protected],” the VP added.
No Formal Security Channel
The email address, however, is designed for general software feedback from customers rather than security vulnerability reports, which typically require secure handling, coordinated disclosure timelines, and technical triage by trained security personnel.
Vulnerability disclosure programs are standard practice for automakers whose vehicles depend heavily on software.
Connected vehicles can be susceptible to remote exploits that could affect vehicle safety, user data, or access controls.
The EV maker’s Bugcrowd page description stated: “Lucid Motors cares deeply about maintaining the trust and confidence that our customers place in us. As such, the security of our systems, applications, and data is paramount.”
Last month, a video by Engineering Explained titled “Owning A Lucid Has Been Super Disappointing” went viral, garnering over a million views.
In a follow-up video published earlier this month, the YouTuber said that the EV maker acknowledged shortcomings and outlined plans for a complete user experience overhaul — dubbed UX 3.0 — by early fall 2026.
New Software Chief
Emad Dlala, formerly senior vice president of powertrain, has assumed broader responsibility in November after the former Product Chief Eric Bach was let go.
Dlala was promoted in November to oversee all product development functions, including vehicle engineering, digital systems, and software.
“In addition to leading the powertrain organization, he will now oversee all product development functions, including vehicle engineering, digital systems, and software,” Lucid said at the time.
