Auto Trader Hall of Fame

We value your concerns

Auto Trader takes website and product integrity seriously and works to keep its site and information as secure as possible. However, no technology is perfect, and Auto Trader believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from:

Denial of service
Brute forcing
Spamming
Social engineering (including phishing) of Auto Trader staff or contractors.
Any physical attempts against Auto Trader property or data centres.
Any activity that could result in you, or any third party, accessing, storing, sharing or destroying any Auto Trader or customer data.
3rd Party companies that offer products or services in association with Auto Trader or on the Auto Trader sites and applications.

Additionally there are certain things we wouldn’t class as bugs, including but not limited to:

Vulnerabilities in non-web applications.
Most vulnerabilities involving active content.
Outdated Browsers: vulnerabilities related to outdated or unpatched browsers, including Internet Explorer versions prior to version 10.
Results from automated tools without any manual confirmation.
Lack of security-related headers, such as: content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options.
Strict transport security (HSTP/HSTS) is not enforced.
Lack of HTTPOnly or secure flag on cookies.
CSRF token verification missing from pages (unless you can do something impactful with the request).
Autocomplete enabled.
Session timeout.
Clickjacking.
Cross-Script Includes (Unless a particularly creative or impactful exploit can be found as a result).
Text / content injection (Unless a particularly creative or impactful exploit can be found as a result).
Rate-limiting on endpoints.
Path and internal IP (RFC 1918) disclosures (unless you can do something impactful with the information).
Control-character injection (unless you can do something impactful against users other than yourself).
Attacks that only work against yourself (e.g. host header injection, self-XSS).
Information disclosure of public and information that do not present risk to our customers, including:
- Web server type disclosure.
- Access to web server files or directories that do not contain internal, confidential or restricted data.
- Server error messages that do not contain internal, confidential or restricted data or avenues to obtain it.
Special Temporary Exculsion - CSRF, we are aware of these and are working on a fix
Special Temporary Exculsion - Wordpress, these sites are being decomissioned

How to let us know

When reporting potential vulnerabilities please try to be as thorough as possible providing us with detailed information and if needed screenshots so that we can recreate your findings. We will contact you back to confirm your finding or request additional information if we need to fully diagnose the issue. Please send your reports to our Customer Security team: customersecurity@autotrader.co.uk

Rewards

This program does not currently offer rewards, but we do offer: our sincere thanks and gratitude; a place on our hall of fame; and as a token of our appreciation we may make discretionary awards of online vouchers. Hall of Fame entries and vouchers can only be sent for new unreported issues

Thank you for helping keep Auto Trader and its users safe!

Making Changes to your Hall of Fame Listing

If members of our Hall of Fame page wish to have the details removed or wish to make changes, please contact customersecurity@autotrader.co.uk with the details and we will be happy to process your request.

Hall of Fame

Auto Trader greatly appreciates the efforts and time that security researchers take to identify vulnerabilities and who then work with us to ensure that the sites and apps are secure for all of our users. We would like to recognise the following security researchers for their efforts:

Name	Contact
Sean Roesner	Twitter
Mohit Rawat	LinkedIn
Adrian Cristian Deaconu	LinkedIn
Saad Zulfiqar Abbasi	Hackerone
Tim Naylor	LinkedIn
Cameron Dawe	Twitter
Eric Head	HackerOne
Robbie Wiggins	Twitter
Damian Ebelties	HackerOne
Tcaciuc Bogdan	Twitter
Sajibe Kanti	Facebook
Muhammad Khizer Javed	Twitter
Mrityunjoy Emu	Twitter
Prial Islam	Facebook
Osama Mahmood	HackerOne
Mohammad Nurnobi	Facebook
Ziaur Rashid	Facebook
BadLuck Jack	HackerOne
Akhil George Varghese	Twitter
Alec Blance	Facebook
Muhammad Zeeshan	Facebook
Moataz Jemni	Twitter
SaifAllah benMassaoud	Twitter
Huy Kha	Twitter
Lakhan sen	Twitter
Imran hadid	HackerOne
Root Iterator - Dipu	Twitter
Mansoor Gilal	Facebook
Muhammad Abdullah	HackerOne
Efkan Gokbas	Twitter
Faisal Ahmed	HackerOne
Yeasir Arafat	Facebook
Zeel Chavda	Linkedin
Haider Kamal	Twitter
Jayson Vasquez Rubio
Ali Hassan Ghori	Linkedin
Gopesh Sharma	Twitter
Noman Shaikh	Twitter
Atik Rahman	Facebook
Piyush kumar	Blogspot
Parth Barvaliya	Facebook
Muhammad Zeeshan	Twitter
Mohammed Abdul Raheem	Twitter
Emad Shanab	Twitter
Yaroslav Olejnik	Twitter
Andrew Gamay	Facebook
Jens Müller	Twitter
Taha Smily	Twitter
Ashish Kunwar	Twitter
Steven Hampton	Twitter
Bill Ben Haim	Linkedin
Md Sameull Soykot	Twitter
Marvin van Walstijn	Twitter
Vikash Chaudhary	Linkedin
G_Murtaza	Twitter
Ali Tütüncü	Twitter
B.Dhiyaneshwaran	LinkedIn
Prithiv Tamilbotnet
Syed Abuthahir	LinkedIn
Yassine Nafiai	Twitter
Yusuf Aydın	LinkedIn
Roholesi Talaohu(rootbakar)	Facebook