Responsible Disclosure
Edmunds is committed to the security of our services and our customers' information. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner.
Prohibited Actions
Security researchers are prohibited from taking the following actions when investigating a potential security vulnerability:
- Accessing, downloading or modifying data residing in any account that does not belong to that individual.
- Executing or attempting to execute any denial of service attack.
- Knowingly posting, transmitting, uploading, linking to, sending, or storing any malicious software on or through Edmunds services.
- Sending or causing the sending of spam messages or other unsolicited messages to users.
- Testing in a manner that would degrade the operation of our services.
- Public disclosure of the details of any identified suspected vulnerability without express written consent from Edmunds.
- Any other testing that violates applicable law or our Visitor Agreement.
Any activities conducted in a manner consistent with our policies will be considered authorized conduct and we will not initiate legal action against you.
Reporting
Please share the details of any suspected or detected vulnerabilities with the Edmunds Security Team by emailing responsible_disclosure@edmunds.com. The Edmunds Security Team will conduct a thorough investigation and then take the appropriate action.