Security @ Cars24

CARS24 is a next-generation eCommerce platform for pre-owned cars. We provide the best in class experience for car buyers by offering a wide assortment of certified cars that are home delivered with a click of a button while sellers get the best price of their vehicles in less than 1 hour.

Cars24 is committed to working with security experts across the globe to stay up to date with the latest security techniques & vulnerabilities, Feel free to inspect applications. If you have discovered a security issue that you believe we should know about, we’d welcome working with you. Please let us know about it and we'll make every effort to quickly correct the issue.

You can reach out to us on [email protected]

Check out the list of researchers that were provided with Hall of Fame

Vulnerability Disclosure Policy

  • We recommend reporting the discovered vulnerabilities to us before disclosing them publicly.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
  • We recommend not disclosing any business information or user information to the public, any such information found shall be reported to [email protected] on an immediate basis.
  • Do not access or modify our data or our users’ data, without the explicit permission of the owner. Only interact with your own accounts or test accounts for security research purposes.
  • Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability.
  • Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).

Testing:

  • Please do not attempt to compromise the safety or privacy of the users of CARS24.
  • We request you not to use vulnerability testing tools or any automated scanners that generate a significant volume of incoming traffic which may cause any disruption to our applications or services.
  • We also request not to run any DoS attacks on any of the applications or end points during this engagement.

Severity Structure & Normalisation

Upon receipt of the finding, we will conduct an internal investigation to understand the full impact of the vulnerability. We then assess the severity on the basis of CARS24 Business Impacts because of the vulnerability.

Note that cars24 allows self-registration, -- which makes vulnerabilities that are exploitable without authentication a lot more impactful. For this reason, any vulnerability that requires an account will not be scored as critical.

Also, any high/critical vulnerabilities that require an MITM, will be considered with Low/medium as the communication is encrypted with TLS 1.2 & 1.3, unless exploited.

Out Of Target Range

Actions/areas that are explicitly NOT considered to be in-scope:

  • Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software; or
  • Attempting to social engineer support staff; or
  • Testing in a manner that would result in the sending of unsolicited or unauthorised junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages; or
  • Testing in a manner that would degrade the operation of the Service; or
  • Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction; or
  • Testing third-party applications or websites or services that integrate with or link to the Service.

Bounty Structure

Vulnerabilities with the following severities

CriticalHall of Fame & Letter of Recommendation
HighHall of Fame & Letter of Recommendation
MediumHall of Fame
LowEmail Appreciation
InfoEmail Appreciation

Vulnerability Reporting Format

  • Vulnerability Name
  • Severity
  • Endpoint
  • Description
  • Steps to Reproduce
  • PoC
  • Mitigation

SLA

CARS24 will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 7 business day
  • Time to triage (from first response) - 7 business days
  • Time to closure (from triage) - between 10 and 15 business days

Eligibility for Participation

You are responsible for complying with any applicable laws. You are not eligible to participate in this program if you are currently an employee of Cars24 or any of its subsidiaries.

Reports from former employees, the immediate family of current employees, or other associates of Cars24 that may present a conflict of interest in the goals of the program will be more thoroughly reviewed and may not qualify for the stated bounty awards at Cars24's discretion.

Happy Hacking :)