Auto Trader cars

Skip to contentSkip to footer

Auto Trader Hall of Fame

We value your concerns

Auto Trader takes website and product integrity seriously and works to keep its site and information as secure as possible. However, no technology is perfect, and Auto Trader believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Brute forcing
  • Spamming
  • Social engineering (including phishing) of Auto Trader staff or contractors.
  • Any physical attempts against Auto Trader property or data centres.
  • Any activity that could result in you, or any third party, accessing, storing, sharing or destroying any Auto Trader or customer data.
  • 3rd Party companies that offer products or services in association with Auto Trader or on the Auto Trader sites and applications.

Additionally there are certain things we wouldn’t class as bugs, including but not limited to:

  • Vulnerabilities in non-web applications.
  • Most vulnerabilities involving active content.
  • Outdated Browsers: vulnerabilities related to outdated or unpatched browsers, including Internet Explorer versions prior to version 10.
  • Results from automated tools without any manual confirmation.
  • Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options.
  • Strict transport security (HSTP/HSTS) is not enforced.
  • Lack of HTTPOnly or secure flag on cookies.
  • CSRF token verification missing from pages (unless you can do something impactful with the request).
  • Autocomplete enabled.
  • Session timeout.
  • Clickjacking.
  • Cross-Script Includes (Unless a particularly creative or impactful exploit can be found as a result).
  • Text / content injection (Unless a particularly creative or impactful exploit can be found as a result).
  • Rate-limiting on endpoints.
  • Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information).
  • Control-character injection (unless you can do something impactful against users other than yourself).
  • Attacks that only work against yourself (e.g. host header injection, self-XSS).
  • Information disclosure of public and information that do not present risk to our customers, including:
    • Web server type disclosure.
    • Access to web server files or directories that do not contain internal, confidential or restricted data.
    • Server error messages that do not contain internal, confidential or restricted data or avenues to obtain it.
  • Special Temporary Exclusion - CSRF, we are aware of these and are working on a fix
  • Special Temporary Exclusion - Wordpress, these sites are being decomissioned

How to let us know

When reporting potential vulnerabilities please try to be as thorough as possible providing us with detailed information and if needed screenshots so that we can recreate your findings. We will contact you back to confirm your finding or request additional information if we need to fully diagnose the issue. Please send your reports to our Customer Security team: Information on how we use your personal data can be found in our Privacy Policy.


This program does not currently offer rewards, but we do offer: our sincere thanks and gratitude; a place on our hall of fame; and as a token of our appreciation we may make discretionary awards of online vouchers. Hall of Fame entries and vouchers can only be sent for new unreported issues

Thank you for helping keep Auto Trader and its users safe!

Making Changes to your Hall of Fame Listing

If members of our Hall of Fame page wish to have the details removed or wish to make changes, please contact with the details and we will be happy to process your request.

Hall of Fame

Auto Trader greatly appreciates the efforts and time that security researchers take to identify vulnerabilities and who then work with us to ensure that the sites and apps are secure for all of our users. We would like to recognise the following security researchers for their efforts:

Sean RoesnerTwitter
Mohit RawatLinkedIn
Saad Zulfiqar Abbasi
Tim NaylorLinkedIn
Cameron Dawe
Eric HeadHackerOne
Robbie WigginsTwitter
Damian EbeltiesHackerOne
Tcaciuc Bogdan
Sajibe KantiFacebook
Muhammad Khizer JavedTwitter
Mrityunjoy EmuTwitter
Osama MahmoodHackerOne
Mohammad NurnobiFacebook
Ziaur RashidFacebook
BadLuck Jack
Akhil George VargheseTwitter
Alec BlanceFacebook
Muhammad ZeeshanFacebook
Moataz JemniTwitter
SaifAllah benMassaoudTwitter
Huy Kha
Lakhan senTwitter
Imran hadidHackerOne
Root Iterator - DipuTwitter
Mansoor GilalFacebook
Muhammad AbdullahHackerOne
Efkan GokbasTwitter
Faisal AhmedHackerOne
Yeasir ArafatFacebook
Zeel ChavdaLinkedin
Haider Kamal
Jayson Vasquez Rubio
Ali Hassan GhoriLinkedin
Gopesh SharmaTwitter
Noman ShaikhTwitter
Atik RahmanFacebook
Piyush kumarBlogspot
Parth BarvaliyaFacebook
Muhammad ZeeshanTwitter
Mohammed Abdul RaheemTwitter
Emad ShanabTwitter
Yaroslav OlejnikTwitter
Andrew GamayFacebook
Jens MüllerTwitter
Taha SmilyTwitter
Ashish KunwarTwitter
Steven HamptonTwitter
Bill Ben HaimLinkedin
Md. Sameull IslamTwitter
Marvin van WalstijnTwitter
Vikash ChaudharyLinkedin
Ali TütüncüTwitter
Prithiv Tamilbotnet
Syed AbuthahirLinkedIn
Yassine NafiaiTwitter
Yusuf AydınLinkedIn
Roholesi Talaohu(rootbakar)Facebook
Vivek Kumar Yadav - 0xd3vilLinkedIn
Abhijeet SarkarFacebook
Raju Kumar(@mrcyberwarrior)LinkedIn
Pradipta DasLinkedIn
Ramzan KambohLinkedIn
Ali Imaan
Vasu YadavLinkedIn
George OTwitter
Merbin RusselTwitter
Mohd Asif KhanLinkedIn
Hemant PatidarLinkedIn
Mallampati Sai SashankLinkedIn
Ritesh GohilLinkedIn
Flaviu PopescuLinkedIn
Krishna AgarwalLinkedIn
Scott McGreadyProfile