RideCo takes the security and privacy of our systems and data seriously and always aims to provide the most secure platform possible. We investigate all received vulnerability reports and implement the best course of action in order to protect our customers and partners.
At RideCo, we believe that working with dedicated as well as independent security researchers can help identify weaknesses in any technology.
If you are a security researcher and have discovered a security vulnerability in RideCo products and services, we appreciate your help in disclosing it to us in a responsible manner.
REPORTING A POTENTIAL SECURITY VULNERABILITY
If you believe you have identified a vulnerability:
Gather all relevant details of the suspected vulnerability including which system, the date and time it was discovered, the mechanisms used to discover the vulnerability and a comparison of expected vs. actual behaviour
Send an e-mail to firstname.lastname@example.org notifying the RideCo team of which system is affected, the issue identified and your preferred contact method
Please do not share your findings elsewhere before RideCo has had reasonable time to respond to you directly with our own findings, remediations and other considerations
UPON RECEIPT OF DISCLOSURE, RIDECO WILL:
Provide an acknowledgement of your report (typically within 48 business hours of submission)
Communicate with you through secure channels to validate and remediate any findings
Provide you with notice when the vulnerability has been resolved
Provide acknowledgement in published reports
Post a security advisory/CVE if required
WHILE RESEARCHING, THE FOLLOWING CONDUCT IS EXPRESSLY PROHIBITED
Performing actions that may negatively affect RideCo and its users (ex: spam, brute force, denial of service, etc)
Accessing, or attempting to access, data or information that does not belong to you
Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
Conducting any kind of physical or electronic attack on RideCo personnel, property, or system environments
Social engineering of any RideCo employees or contractors
Violating any laws or breaching any agreements in order to discover vulnerabilities
CHANGES TO POLICY
We may revise these guidelines from time to time. The most current version of the guidelines will be available here.
Please visit https://www.rideco.com/contact to provide RideCo with feedback, questions or concerns not relating to Responsible Disclosure.
It is the responsibility of RideCo’s Incident Response Team to enforce this policy.
JOIN OUR NEWSLETTER
Get the latest on what's new at RideCo and the transit industry.
By entering your email, you agree to receive emails from RideCo.