Data Security
Vulnerability Disclosure Program
No technology is perfect and Smartcar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
Scope
In scope
Testing is only authorized on the target domains listed as in scope.
smartcar.com
api.smartcar.com
auth.smartcar.com
connect.smartcar.com
dashboard.smartcar.com
javascript-sdk.smartcar.com
cdn.smartcar.com
developer-backend.smartcar.com
connectyourcar.com
Out of scope
Any domain/property of Smartcar not listed in the In Scope section is out of scope. This includes any/all subdomains not listed above. Any services hosted by 3rd party providers and services are excluded from scope including the following.
support.smartcar.com
drive.smartcar.com
calendar.smartcar.com
mail.smartcar.com
How to report
Email security@smartcar.com. A good report includes:
What the issue is and where you found it (the URL or endpoint)
The steps to reproduce it
Any proof of concept, screenshots, or request/response samples that help us confirm it
We read every report and will confirm we got yours within five business days.
What happens next
We acknowledge your report.
We check it against the relevant system to confirm whether it's valid and how serious it is.
If it's valid, we prioritize a fix by severity and let you know when it's resolved.
With your permission, we're happy to credit you once the issue is fixed.
Rewards
Smartcar runs a vulnerability disclosure program, not a paid bug bounty. We don't offer monetary rewards or bounties for reports. We do value the work researchers put in, and we'll acknowledge you for a valid finding if you'd like the credit.
Ground rules
Test only the in-scope domains listed above, and keep your testing safe:
Don't run tests that degrade service for others, including denial-of-service or heavy automated scanning.
Don't access, change, or delete data that isn't yours. Use your own test accounts.
No social engineering, phishing, or physical attacks against Smartcar staff or facilities.
Give us a reasonable window to fix a valid issue before sharing it publicly.
If you make a good-faith effort to follow this policy, we'll treat your research as authorized and won't pursue legal action over it.