Cox Automotive Responsible Disclosure Policy

Motivations

Cox Automotive is committed to ensuring the security and privacy of its customers, products, and services. With this, we believe responsible disclosure of any security vulnerabilities identified by security researchers is an essential part of that commitment.

This policy is designed to provide security researchers clear guidelines on:

  • how to report potential security issues
  • how we conduct activities around intake, triage, discovery and disclosure (if warranted)
  • our preferences in how reports are submitted to us
  • our expected code of conduct

Code of Conduct

Responsible disclosure requires mutual trust, respect, and transparency between all members of the security community.

  • Trust: We maintain trust and confidentiality in our professional exchanges with security researchers. We ask that you, the disclosure submitter, communicate about potential vulnerabilities responsibly, providing sufficient time and information for our team to validate and address potential issues.
  • Respect: We respect the skills of researchers and recognize your contribution for keeping our customers safe and secure. During security testing, we ask that you make every effort to avoid privacy violations, degradation of our user experience, disruption of our production systems, and destruction of data.
  • Transparency: We will work with you to validate and remediate reported vulnerabilities in accordance with our commitment to security and privacy. We request that you provide the technical detail and background necessary for our team to validate reported issues.
  • Common Good: We investigate and remediate issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability. We ask that you join us in protecting privacy and security by refraining from public disclosure until our team has had time to investigate your findings.

Before attempting to test or report a vulnerability

You must:

  • Respect privacy. Contact us immediately before you access anyone else’s data, personal or otherwise. This includes but is not limited to usernames, passwords and other credentials. You must not save, store or transmit this information.
  • Act in good faith. You must report the vulnerability to us with no conditions attached.
  • Work with us. Promptly report any findings to us. You must stop after you find the first vulnerability and request permission to continue testing.

You must not:

  • Target Cox Automotive customers
  • Take advantage of vulnerabilities obtained through the compromise of Cox Automotive employees (insider information)
  • Perform any tests that will disrupt services or impair others’ ability to use them. This includes Denial of Service (DoS) or resource exhaustion attacks against Cox Automotive or its products.
  • Exfiltrate data – instead use a proof of concept to demonstrate a vulnerability
  • Use a vulnerability to disable further security controls
  • Execute any testing that may add, modify, update, or delete existing data
  • Perform social engineering or phishing against Cox Automotive employees and contractors
  • Perform any testing of physical security
  • Break the law, or any agreements you may have with Cox Automotive, the Cox companies or third parties
  • Publicly disclose any vulnerabilities without explicit written permission from Cox Automotive
  • Attempt to brute force passwords
  • Use automated scanners
  • Knowingly post, transmit, upload, link to, or send malware
  • Pursue vulnerabilities which send unsolicited bulk messages (spam)

How to Report a Suspected Vulnerability

Cox Automotive asks that security researchers share the details of any suspected vulnerabilities with Cox Automotive web properties, APIs or other applications via encrypted email to securitydisclosure@coxautoinc.com, using the public key provided at the bottom of this page.
The Cox Automotive Security team will acknowledge receipt of each vulnerability report within two (2) business days, after which time the Cox Automotive Security team will conduct a thorough investigation, and then take appropriate action.
To effectively respond to a report, we require supporting material to help us understand the nature and severity of the security issue.
At the minimum, please include the following information:

  • Asset or URL
  • Date and Time of testing
  • Vulnerability classification (Critical/High/Medium/Low)
  • Summary or short description
  • Clear, concise reproducible steps or a working proof of concept. If applicable, please provide screenshots and/or videos. These can sometimes assist our team in reproducing the issue.
  • Any tool output or additional related logs or supporting information
  • The impact of the vulnerability: what could happen if this bug were exploited?
  • Recommended solution (optional, but appreciated)
  • Preferred contact method and information (e.g. email, phone)

Our team will review, investigate and validate your report. Please allow four (4) weeks before you contact us for an update.

Examples of vulnerabilities to report:

  • Remote Code Execution (RCE)
  • SQL injection
  • XML External Entity injection (XXE)
  • Authorization bypass/escalation
  • Sensitive information leaks
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Subdomain Takeover (must show impact)
  • File Upload (must show impact)
  • Server Side Request Forgery (SSRF)
  • API Exploitation

Examples of vulnerabilities NOT to report (note that this is not an exhaustive list):

  • Any bug that does not pose a substantial or demonstrable security risk
  • Clickjacking, open redirects, or lack of security headers
  • Denial of Service (DOS)
  • Social engineering
  • Physical exploits of our servers or network
  • Local network-based exploits such as DNS poisoning or ARP spoofing
  • Cross Site Scripting blocked by browser features in Edge, Firefox, Chrome and Safari
  • Vulnerabilities remediated by known vendor patches
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Information disclosure without demonstratable impact
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Open redirect – unless an additional security impact can be demonstrated
  • Clickjacking on non-sensitive action pages
  • Missing best practices in SSL/TLS configuration

Safe Harbor

When conducting vulnerability research within the terms of this policy, we consider such research to be: Lawful, helpful to and supportive of Cox Automotive’s Cybersecurity posture, and conducted in good faith. However:

  • Misuse of Cox Automotive systems may result in personal civil and/or criminal liability.
  • You are expected, as always, to comply with all applicable laws, including but not limited to federal, state, local and international laws, regulations and published policies.
  • If you have concerns or are uncertain whether your security research is consistent with the terms of this program, please email your question to securitydisclosure@coxautomotive.com.

Public Key

For secure communication, please encrypt your email with our PGP public key.

Thank you

Cox Automotive values the security research community. Contributions from security researchers can help us protect the privacy and security of our customers!

Cox Automotive does not offer a bounty program or provide compensation in exchange for security vulnerability submissions at this time.