Cox Automotive Inc.
Cox Automotive is committed to ensuring the security and privacy of its customers, products, and services. With this, we believe responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment.
This policy is designed to provide security researchers clear guidelines on:
Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community.
Cox Automotive asks that security researchers share the details of any suspected vulnerabilities with Cox Automotive web properties, APIs or other applications via encrypted email to securitydisclosure@coxautoinc.com, using the public key provided at the bottom of this page.The Cox Automotive Security team will acknowledge receipt of each vulnerability report within two (2) business days, after which time the Cox Automotive Security team will conduct a thorough investigation, and then take appropriate action.To effectively respond to a report, we require supporting material to help us understand the nature and severity of the security issue.At the minimum, please include the following information:
Our team will review, investigate and validate your report. Please allow four (4) weeks before you contact us for an update.
When conducting vulnerability research within the terms of this policy, we consider such research to be: Lawful, helpful to and supportive of Cox Automotive’s Cybersecurity posture, and conducted in good faith. However:
For secure communication, please encrypt your email with our PGP public key.
Cox Automotive values the security research community. Contributions from security researchers can help us protect the privacy and security of our customers!
Cox Automotive does not offer a bounty program or provide compensation in exchange for security vulnerability submissions at this time.