Responsible Disclosure Program
We figure if you're reading this, you have most likely discovered a possible security vulnerability in one of our applications, systems, or services. Or maybe you are just interested in what to do if you spot one sometime in the future?
At carsales, we are driven by our commitment to the security of our customers' data, information systems, and services. However, despite our very best intentions, sometimes there may be something we missed.
This is where you become one of our most appreciated security partners. We love that you are willing to help us and want to tell you what you auto know when disclosing any vulnerabilities you have found.
Letting us know
When you're ready to let us know about a potential security vulnerability, please send an email to security@carsales.com.au
We'd love it if you could include as much information as possible about what you have discovered. At a minimum, we would be extremely grateful if you could send us everything you think we will need to reproduce your steps and see what you discovered.
If you feel the email should be encrypted or contains confidential information, our PGP key can be found here: Download PGP Key
What's in it for you?
The rubber has hit the road, and you are ready to disclose a vulnerability to us. You stop and think, "What am I getting out of this?"
If our undying gratitude is not enough, you will have the honour and glory of potentially taking the checkered flag for being the first to report the vulnerability. And we will do our best to recognise your goodwill.
Please note, we don't provide any compensation for any reported security vulnerabilities.
What happens next?
Once you have reported the potential security vulnerability, you will receive an e-mail from us confirming we have received your submission.
We will investigate your discovery and keep you informed on our progress. In some circumstances, we may need to pass on the information you submitted to assist government agencies or law enforcement agencies or to help our service providers rectify the security vulnerability. Rest assured, we respect your privacy and will not share your personal details unless required by law to do so.
When we have completed our investigation, we will let you know.
Oh, and a couple more things you should know…
Please don't engage in any activities that violate any laws, breach our website Terms & Conditions (or the applicable T&Cs of any of our products or services), or cause the performance of our applications, systems, or services to be degraded or become unavailable in your efforts to discover or disclose any vulnerabilities. If you do, we will put the handbrake on, cease your participation in the Responsible Disclosure Program and reserve all our legal rights.
And please don't use this Responsible Disclosure Program to report phishing or scam attempts. If you have received a hoax or phishing email or SMS, click here to find out what you should do.
Hall of Fame
At carsales, we strongly believe in recognition for a job well done. This includes the amazing community of security researchers who have taken the time to find and disclose something we may have missed.
To everyone who has submitted a disclosure report, a massive THANK YOU!!
We would like to formally recognise the following researchers for their successful participation in the carsales responsible disclosure program.
| Year | Security Researcher | Wheelie Rating |
|---|---|---|
| 2024 | Keyur Maheta |
|
| 2024 | Priyanshu Dhiman |
|
| 2024 | Aditya Yadav |
|
| 2023 | Adarsh Hunter |
|
| 2023 | Prathamesh Surekha Prakash Pawar |
|
| 2023 | Narendra Rathore |
|
| 2022 | Gaurang Maheta | |
| 2022 | Sourav Chakraborty |
|
| 2022 | Sameer Ahmad |
|
| 2022 | Kartik Garg |
|
| 2022 | Pankaj Lakshkar |
|
Wheelie Legend: the more wheels, the more rubber on the vulnerability!
Last update: April 2024