Data Security

Vulnerability Disclosure Program

No technology is perfect and Smartcar believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.

Scope

In scope

Testing is only authorized on the target domains listed as in scope.

  • smartcar.com

  • api.smartcar.com

  • auth.smartcar.com

  • connect.smartcar.com

  • dashboard.smartcar.com

  • javascript-sdk.smartcar.com

  • cdn.smartcar.com

  • developer-backend.smartcar.com

  • connectyourcar.com

Out of scope

Any domain/property of Smartcar not listed in the In Scope section is out of scope. This includes any/all subdomains not listed above. Any services hosted by 3rd party providers and services are excluded from scope including the following.

  • support.smartcar.com

  • drive.smartcar.com

  • calendar.smartcar.com

  • mail.smartcar.com

How to report

Email security@smartcar.com. A good report includes:

  • What the issue is and where you found it (the URL or endpoint)

  • The steps to reproduce it

  • Any proof of concept, screenshots, or request/response samples that help us confirm it


We read every report and will confirm we got yours within five business days.

What happens next

  • We acknowledge your report.

  • We check it against the relevant system to confirm whether it's valid and how serious it is.

  • If it's valid, we prioritize a fix by severity and let you know when it's resolved.

  • With your permission, we're happy to credit you once the issue is fixed.

Rewards

Smartcar runs a vulnerability disclosure program, not a paid bug bounty. We don't offer monetary rewards or bounties for reports. We do value the work researchers put in, and we'll acknowledge you for a valid finding if you'd like the credit.

Ground rules

Test only the in-scope domains listed above, and keep your testing safe:

  • Don't run tests that degrade service for others, including denial-of-service or heavy automated scanning.

  • Don't access, change, or delete data that isn't yours. Use your own test accounts.

  • No social engineering, phishing, or physical attacks against Smartcar staff or facilities.

  • Give us a reasonable window to fix a valid issue before sharing it publicly.


If you make a good-faith effort to follow this policy, we'll treat your research as authorized and won't pursue legal action over it.