Auto Trader Hall of Fame
We value your concerns
Auto Trader takes website and product integrity seriously and works to keep its site and information as secure as possible. However, no technology is perfect, and Auto Trader believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
- Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Brute forcing
- Social engineering (including phishing) of Auto Trader staff or contractors.
- Any physical attempts against Auto Trader property or data centres.
- Any activity that could result in you, or any third party, accessing, storing, sharing or destroying any Auto Trader or customer data.
- 3rd Party companies that offer products or services in association with Auto Trader or on the Auto Trader sites and applications.
Additionally there are certain things we wouldn’t class as bugs, including but not limited to:
- Vulnerabilities in non-web applications.
- Most vulnerabilities involving active content.
- Outdated Browsers: vulnerabilities related to outdated or unpatched browsers, including Internet Explorer versions prior to version 10.
- Results from automated tools without any manual confirmation.
- Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options.
- Strict transport security (HSTP/HSTS) is not enforced.
- Lack of HTTPOnly or secure flag on cookies.
- CSRF token verification missing from pages (unless you can do something impactful with the request).
- Autocomplete enabled.
- Session timeout.
- Cross-Script Includes (Unless a particularly creative or impactful exploit can be found as a result).
- Text / content injection (Unless a particularly creative or impactful exploit can be found as a result).
- Rate-limiting on endpoints.
- Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information).
- Control-character injection (unless you can do something impactful against users other than yourself).
- Attacks that only work against yourself (e.g. host header injection, self-XSS).
- Information disclosure of public and information that do not present risk to our customers, including:
- Web server type disclosure.
- Access to web server files or directories that do not contain internal, confidential or restricted data.
- Server error messages that do not contain internal, confidential or restricted data or avenues to obtain it.
- Special Temporary Exculsion - CSRF, we are aware of these and are working on a fix
- Special Temporary Exculsion - Wordpress, these sites are being decomissioned
How to let us know
This program does not currently offer rewards, but we do offer: our sincere thanks and gratitude; a place on our hall of fame; and as a token of our appreciation we may make discretionary awards of online vouchers. Hall of Fame entries and vouchers can only be sent for new unreported issues
Thank you for helping keep Auto Trader and its users safe!
Making Changes to your Hall of Fame Listing
If members of our Hall of Fame page wish to have the details removed or wish to make changes, please contact email@example.com with the details and we will be happy to process your request.
Hall of Fame
Auto Trader greatly appreciates the efforts and time that security researchers take to identify vulnerabilities and who then work with us to ensure that the sites and apps are secure for all of our users. We would like to recognise the following security researchers for their efforts:
|Saad Zulfiqar Abbasi|
|Muhammad Khizer Javed|
|Akhil George Varghese|
|Root Iterator - Dipu|
|Jayson Vasquez Rubio|
|Ali Hassan Ghori|
|Mohammed Abdul Raheem|
|Bill Ben Haim|
|Md. Sameull Islam|
|Marvin van Walstijn|
|Vivek Kumar Yadav - 0xd3vil|
|Mohd Asif Khan|