Vroom is committed to the security of our services and our customers’ information. If you are a security researcher and believe that you have discovered a security vulnerability involving Vroom services or sites, we encourage you to securely disclose it to us in a responsible manner, as directed by this Responsible Disclosure Policy (the “Policy”). We appreciate your efforts in helping protect customer trust and make Vroom more secure. Vroom reserves all legal rights in the event of any non-compliance with this Policy.
We encourage security researchers to share the details of any suspected vulnerabilities by submitting the form at the bottom of this page (the “Form”) as directed. Each submission will be reviewed to determine if the finding is valid and not previously reported. In order for a security researcher to be considered for monetary compensation, security researchers must include information sufficient to permit the vulnerability noted in the Form to be reproduced. If you discover personally identifiable information while exploring a suspected security vulnerability, we ask that you cease your investigation and report the vulnerability that led to such discovery immediately. If you identify a vulnerability in accordance with the Policy and the Form, Vroom commits to working with you to understand, validate and address the vulnerability appropriately per the assessed risk.
Compliance with this policy
By submitting a potential vulnerability via the Form:
- You agree not to publicly disclose the vulnerability unless and until Vroom agrees to a public disclosure.
- You agree to keep all communication with Vroom confidential.
- You represent that your finding is original to you and that if you submit a third-party finding, you represent that you have the permission to do so.
- You allow Vroom and its subsidiaries the unconditional ability to use, distribute or disclose information provided in your report.
- You agree that Vroom, in its sole determination, may reward or recognize findings made in accordance with this Policy.
The Form is not intended to be used by, and this Policy is not directed to:
- Employees of Vroom; Vroom’s subsidiaries, affiliates, or partners;
- Vendors currently working with or for Vroom or Vroom’s subsidiaries, affiliates, or partners; or
- Residents of countries on the United States Office of Foreign Assets Control’s (OFAC) Sanctions List.
In addition, to remain compliant with this Policy, security researcher(s) are prohibited from:
- Accessing, downloading, or modifying data residing in an account that does not belong to the security researcher(s);
- Executing or attempting to execute any “Denial of Service” or related attack against any Vroom system or service;
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software on or to any Vroom system or service;
- Testing any suspected vulnerability in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or any other form of unsolicited message;
- Threatening or trying to extort Vroom concerning the vulnerability;
- Testing any suspected vulnerability in a manner that would degrade or negatively impact the operation of any Vroom service or system; and/or
- Testing third-party applications, websites, or services that integrate with or link to any Vroom service or system.
Legal Safe Harbor
Vroom will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Policy. We will waive any restrictions in our applicable Terms of Service that would prohibit your participation in Vroom’s responsible disclosure program, so long as your participation is in accordance with the terms thereof, for the limited purpose of your security research under this Policy. We cannot authorize any activity on third-party products or guarantee they won’t pursue legal action against you. We aren’t responsible for your liability from actions performed on third parties.
Don’t do anything illegal or unethical. You are responsible for complying with local laws, regulations, and any other restrictions.