RideCo Responsible Disclosure Program 
RideCo takes the security and privacy of our systems and data seriously and always aims to provide the most secure platform possible. We investigate all received vulnerability reports and implement the best course of action in order to protect our customers and partners.
Home

Last Updated: July 2023


At RideCo, we believe that working with dedicated as well as independent security researchers can help identify weaknesses in any technology. If you are a security researcher and have discovered a security vulnerability in RideCo products and services, we appreciate your help in disclosing it to us in a responsible manner.


REPORTING A POTENTIAL SECURITY VULNERABILITY


If you believe you have identified a vulnerability:

  • Gather all relevant details of the suspected vulnerability including which system, the date and time it was discovered, the mechanisms used to discover the vulnerability and a comparison of expected vs. actual behaviour
  • Send an e-mail to disclosure@rideco.com notifying the RideCo team of which system is affected, the issue identified and your preferred contact method
  • Please do not share your findings elsewhere before RideCo has had reasonable time to respond to you directly with our own findings, remediations and other considerations


    • UPON RECEIPT OF DISCLOSURE, RIDECO WILL:


  • Provide an acknowledgement of your report (typically within 48 business hours of submission)
  • Communicate with you through secure channels to validate and remediate any findings
  • Provide you with notice when the vulnerability has been resolved
  • Provide acknowledgement in published reports
  • Post a security advisory/CVE if required

    • WHILE RESEARCHING, THE FOLLOWING CONDUCT IS EXPRESSLY PROHIBITED


  • Performing actions that may negatively affect RideCo and its users (ex: spam, brute force, denial of service, etc)
  • Accessing, or attempting to access, data or information that does not belong to you
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  • Conducting any kind of physical or electronic attack on RideCo personnel, property, or system environments
  • Social engineering of any RideCo employees or contractors
  • Violating any laws or breaching any agreements in order to discover vulnerabilities

    • CHANGES TO POLICY


    We may revise these guidelines from time to time. The most current version of the guidelines will be available here.


    CONTACT


    Please visit https://www.rideco.com/contact to provide RideCo with feedback, questions or concerns not relating to Responsible Disclosure.


    RESPONSIBILITY


    It is the responsibility of RideCo’s Incident Response Team to enforce this policy.

    PRODUCTS
    Passenger AppDriver AppOperations CenterData InsightsProfile Manager
    USE CASES
    ParatransitUnderperforming Bus RoutesEmployee CommutingFirst/Last MileLong-Distance CommutingLow-Density Area Mobility
    COMPANY
    About UsCase StudiesCareersContact UsTech PartnersFleet PartnersConsultants
    RESOURCES
    ResourcesDriver TermsRider TermsPrivacy PolicySecurityAccessibility PolicyResponsible Disclosure Program