Security @ Cars24
CARS24 is a next-generation eCommerce platform for pre-owned cars. We provide the best in class experience for car buyers by offering a wide assortment of certified cars that are home delivered with a click of a button while sellers get the best price of their vehicles in less than 1 hour.
Cars24 is committed to working with security experts across the globe to stay up to date with the latest security techniques & vulnerabilities, Feel free to inspect applications. If you have discovered a security issue that you believe we should know about, we’d welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.
Check out the list of researchers that were provided with the Hall of Fame
Vulnerability Disclosure Policy
- We recommend reporting the discovered vulnerabilities to us before disclosing them publicly.
- We recommend not disclosing any business information or user information to the public, any such information found shall be reported to the security email, found at the bottom of this page, on an immediate basis.
- Do not access or modify our data or our users’ data, without explicit permission from us. Only interact with your own accounts or test accounts for security research purposes.
- Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability.
- Provide us with a reasonable amount of time to resolve the issue.
- Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
- Please do not attempt to compromise the safety or privacy of the users of CARS24.
- We request you not use vulnerability testing tools or any automated scanners that generate a significant volume of incoming traffic which may cause any disruption to our applications or services.
- We also request not to run any DoS attacks on any of the applications or endpoints during this engagement.
Severity Structure & Normalisation
Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity based on CARS24 Business Impacts because of the vulnerability.
Note that cars24 allows self-registration, -- which makes vulnerabilities exploitable without authentication a lot more impactful. For this reason, any vulnerability that requires a user account will not be considered critical.
Also, any high/critical vulnerabilities that require a MITM, will be considered with Low/medium as the communication is encrypted with the latest TLS versions.
Out Of Target Range
Actions/areas that are explicitly NOT considered to be in-scope:
- Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software; or
- Attempting to social engineer support staff; or
- Testing in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages; or
- Testing in a manner that would degrade the operation of the Service; or
- Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction; or
- Testing third-party applications or websites or services that integrate with or link to the Service.
Vulnerabilities with the following severities
|Critical||Hall of Fame & Letter of Recommendation|
|High||Hall of Fame & Letter of Recommendation|
|Medium||Hall of Fame|
Vulnerability Reporting Format
- Vulnerability Name
- Steps to Reproduce
CARS24 will make the best effort to meet the following SLAs for hackers participating in our program:
- Time to first response (from report submit) - 7 business day
- Time to triage (from the first response) - 7 business days
- Time to closure (from triage) - between 10 and 15 business days
Eligibility for Participation
You are responsible for complying with any applicable laws. You are not eligible to participate in this program if you are currently an employee of Cars24 or any of its subsidiaries.
Reports from former employees, the immediate family of current employees, or other associates of Cars24 that may present a conflict of interest in the program's goals will be more thoroughly reviewed. They may not qualify for the stated bounty awards at Cars24's discretion.
Upon submission of your finding, you are agreeing with the terms & conditions and are liable to the NDA
You can reach out to us at [email protected]
Happy Hacking :)