Vulnerability Disclosure Policy

CarJam Online Limited is dedicated to resolving security vulnerabilities quickly and cautiously. We sincerely respect your privacy and work to efficiently resolve any problems that may arise.

If you believe you have discovered a security related issue within our online systems, we appreciate your help in alerting us of the issue confidentially and conscientiously so that we can do our best to respond.

The Process

Please contact us via email info@carjam.co.nz with a detailed account of the vulnerability at hand. If you believe the vulnerability is serious or there is a chance that the email is insecure, then please encrypt the message with PGP. Download Our PGP key.

The email should include as much of the following as possible:

  • Type of vulnerability
  • Whether the information has been published or shared with others
  • Step-by-step instructions/proof-of-concept codes to replicate the issue

Once submitted, we will acknowledge that we have received your report with a non-automated reply within 7 days and provide an outline response plan where applicable.

We will then proceed to review the information and work to validate the reported vulnerability. In the event that a true vulnerability is discovered, we will complete the investigation and notify the reporter. Where appropriate, the reporter will receive results of the vulnerability findings, a plan for resolution and plans for public disclosure.

Limitations

We do not accept the following forms of security research:

  • Causing, or attempting to cause, a Denial of Service (DoS) condition
  • Accessing, or attempting to access, data or information that does not belong to you
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

Customer Security

We ask that any vulnerability that you believe you have discovered is not shared outside trusted circles, until we have had the opportunity to investigate and address the issue properly. This is to ensure the protection of our customer’s privacy. We also request that you do not share any information belonging to our customers in any environment. We aim to respond to all serious vulnerabilities that are brought to our attention as quickly and systematically as possible.

Our Commitment

If you follow these policies and have good intentions, we will gladly make the following commitments to you:

  • The information that you choose to share with us as part of this process will be kept confidential within CarJam Online Limited. It will not be shared with third-parties without your permission.
  • We will not initiate legal action against security researchers attempting to find vulnerabilities within our system who adhere to this policy.
  • If you report a vulnerability that materially affects our services, if you would like, we will gladly give thanks with public acknowledgement.

If you have any further questions or you would like to report a vulnerability, please contact info@carjam.co.nz