Security
01
Introduction
HEETCH is committed to ensuring the safety and privacy of all passengers and drivers by protecting their information. The purpose of this policy is to give security researchers clear guidelines for conducting vulnerability discovery activities and to share with them our preferences for how to submit discovered vulnerabilities to us. This policy describes the systems and types of research covered, how to send vulnerability reports to us, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.
01
Authorization
Heetch agrees not to sue parties who submit vulnerability reports under this program if the reporter (s):
- Do not use automated vulnerability discovery tools (e.g. scanners)
- Conduct security research without harming Heetch or its customers, employees, or service providers
- Do not use, disclose, or modify the data obtained as part of this research
- Do not perform any action that affects the proper functioning of the ServicesDo not perform a denial of service attack
01
Guidelines
For the purposes of this policy, “research” refers to activities in which you:
- Let us know as soon as possible after discovering a real or potential security issue
- Make every effort to avoid privacy breaches, the degradation of the user experience, the disruption of production systems, and the destruction or manipulation of data
- Use exploits only as needed to confirm the presence of vulnerabilities
- Don't use an exploit to compromise or exfiltrate data, establish persistence, or use an exploit to pivot to other systems.
- Don't use an exploit to compromise or exfiltrate data, to establish persistence, or to use the exploit to pivot to other systems.
- Give us a reasonable amount of time to resolve the issue before publicly disclosing it.
- Once you have established that a vulnerability exists or that you encounter sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you should stop your test, notify us immediately, and not disclose that data to anyone else
01
Test methods
The following test methods are not allowed:
- Network denial of service (DoS or DDoS) tests or other tests that hinder or damage access to a system or data
- physical tests (for example, access to offices, open doors, surveillance), social engineering (for example, phishing, voice phishing), or any other non-technical vulnerability test, whether on customers (passengers), drivers, or Heetch employees.
01
Scope of application
This policy applies to the following systems and services:
- Heetch.net
- Heetch.com
Source code on Github public repositories
Any service that is not expressly listed above, such as connected services, is excluded from the scope and is not allowed to be tested. In addition, vulnerabilities discovered in the systems of any vendor that uses Heetch services and/or tools do not fall within the scope of this policy and should be reported directly to the vendor in accordance with its disclosure policy (if any).
01
Report a vulnerability
We accept vulnerability reports via [email protected]
For sensitive reports, you can send us encrypted messages using our PGP key below:
01
Bounty/rewards program
By default, we don't reward vulnerability reports, but if you request it and if the vulnerability is confirmed, we can publicly commit to your disclosure on our Hall of Fame.
01
What we expect from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
- Be in English, if possible.
01
What you can expect from us
When you choose to provide us with your contact details, we are committed to coordinating our actions with you as openly and as quickly as possible.
- Within three business days, we will acknowledge receipt of your report.
- Where possible, we will confirm the existence of the vulnerability to you and be as transparent as possible about the actions we are taking during the remediation process, including any issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss these issues.
01
Questions
Questions about this policy can be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.