Responsible Disclosure Policy

At Tractive, we consider the security of our systems, apps and devices a top priority. We appreciate the community's assistance in identifying any vulnerabilities so that we can address them as quickly as possible. However, we would like to clarify the scope of this policy to make it more effective for everyone involved.

Scope

We are interested in receiving vulnerability reports for our primary platforms, apps, and services, specifically those systems we directly manage and control.

Out of Scope: Please note that vulnerabilities found in third-party services or subdomains that are not directly controlled by Tractive are out of scope for this program. This includes, but is not limited to:

  • Subdomains such as help.tractive.com (operated by Zendesk)
  • Subdomain matching insurance-uk.tractive.com (operated by Ignite Systems)
  • Third-party services, including those provided by our partners or vendors

Reports related to these out-of-scope domains will not be eligible for a reward and should be directed to the appropriate third-party provider.

Reporting a Vulnerability

If you believe you have found a vulnerability within the in-scope systems:

  1. E-mail your findings to security@tractive.com.
  2. Provide clearly reproducible steps, including:
    1. Detailed Description: A clear description of the vulnerability and its impact.
    2. Reproduction Steps: Step-by-step instructions to reproduce the issue, including:
      1. URLs, endpoints, and any specific parameters involved.
      2. Screenshots or screen recordings that illustrate the problem.
    3. Affected System Details: Specify the affected subdomain, service, or endpoint.
    4. Expected vs Actual Behavior: Describe what you expected to happen versus what actually occurred.
  3. Show the Impact: Provide information on the potential security risk and the impact it could have on users or the system.
  4. Please Adhere to the Following:
    1. Do not take advantage of the vulnerability, e.g., by downloading more data than necessary or modifying or deleting data.
    2. Do not disclose the vulnerability to others until it has been resolved.
    3. Do not use physical attacks, social engineering, distributed denial of service (DDoS), spam, or attack third-party applications.

What We Promise

  • We will respond to in-scope reports.
  • We will inform you on a bi-weekly basis regarding updates until the resolution of the reported security issues that have customer impact.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality and will not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress toward resolving the problem.
  • In public information concerning the problem, we will acknowledge your contribution (unless you desire otherwise).
  • As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us and potentially has customer impact in one of our platforms. The amount of the reward will be determined based on the severity of the vulnerability and the quality of the report.

Reward Eligibility: Rewards are provided only for verified vulnerabilities that affect platforms explicitly within the scope of this program and have not been previously reported or already known to us. Reports concerning third-party systems or previously identified issues are not eligible for rewards. Additionally, if an individual violates our responsible disclosure guidelines, either repeatedly or continuously, we reserve the right to disqualify them from receiving rewards and, if necessary, to block further participation in the program.

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Attribution: This policy is a derived work from Floor Terra’s Responsible Disclosure.