Auto Trader Hall of Fame

Auto Trader takes website and product integrity seriously and works to keep its site and information as secure as possible. However, no technology is perfect, and Auto Trader believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Brute forcing
• Spamming
• Social engineering (including phishing) of Auto Trader staff or contractors.
• Any physical attempts against Auto Trader property or data centres.
• Any activity that could result in you, or any third party, accessing, storing, sharing or destroying any Auto Trader or customer data.
• 3rd Party companies that offer products or services in association with Auto Trader or on the Auto Trader sites and applications.

Additionally there are certain things we wouldn’t class as bugs, including but not limited to:

• Vulnerabilities in non-web applications.
• Most vulnerabilities involving active content.
• Outdated Browsers: vulnerabilities related to outdated or unpatched browsers, including Internet Explorer versions prior to version 10.
• Results from automated tools without any manual confirmation.
• Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options.
• Strict transport security (HSTP/HSTS) is not enforced.
• Lack of HTTPOnly or secure flag on cookies.
• CSRF token verification missing from pages (unless you can do something impactful with the request).
• Autocomplete enabled.
• Session timeout.
• Clickjacking.
• Cross-Script Includes (Unless a particularly creative or impactful exploit can be found as a result).
• Text / content injection (Unless a particularly creative or impactful exploit can be found as a result).
• Rate-limiting on endpoints.
• Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information).
• Control-character injection (unless you can do something impactful against users other than yourself).
• Attacks that only work against yourself (e.g. host header injection, self-XSS).
• Information disclosure of public and information that do not present risk to our customers, including:
  • Web server type disclosure.
  • Access to web server files or directories that do not contain internal, confidential or restricted data.
  • Server error messages that do not contain internal, confidential or restricted data or avenues to obtain it.
• Special Temporary Exculsion - CSRF, we are aware of these and are working on a fix
• Special Temporary Exculsion - Wordpress, these sites are being decomissioned

How to let us know

When reporting potential vulnerabilities please try to be as thorough as possible providing us with detailed information and if needed screenshots so that we can recreate your findings. We will contact you back to confirm your finding or request additional information if we need to fully diagnose the issue. Please send your reports to our Customer Security team: customersecurity@autotrader.co.uk Information on how we use your personal data can be found in our Privacy Policy.

Rewards

This program does not currently offer rewards, but we do offer: our sincere thanks and gratitude; a place on our hall of fame; and as a token of our appreciation we may make discretionary awards of online vouchers. Hall of Fame entries and vouchers can only be sent for new unreported issues

Thank you for helping keep Auto Trader and its users safe!

Making Changes to your Hall of Fame Listing

If members of our Hall of Fame page wish to have the details removed or wish to make changes, please contact customersecurity@autotrader.co.uk with the details and we will be happy to process your request.

Hall of Fame

Auto Trader greatly appreciates the efforts and time that security researchers take to identify vulnerabilities and who then work with us to ensure that the sites and apps are secure for all of our users. We would like to recognise the following security researchers for their efforts: