Vulnerability Disclosure Program Policy and Rules of Engagement

The scope of this inDriver’s Vulnerability Disclosure Program Policy is limited to searching for technical vulnerabilities in the company's services and official mobile applications.

Vulnerabilities are data flaws and/or technical issues in the system, the intentional exploitation of which can compromise the system’s integrity, confidentiality, or its proper functionality.

For questions not related to this Program, please contact   support@indriver.com

We do not initiate security investigations regarding:

  • Messages from security scanners and other automated systems;
  • Vulnerability reports based on software/protocol versions not indicating the actual usage/exploitation;
  • Reports about the absence of a protection mechanism or non-compliance with recommendations (for example, the absence of a CSRF token) without indicating real negative consequences;
  • Self-XSS;
  • Framing;
  • Social engineering;
  • Clickjacking;
  • SPF/DKIM/DMARC issues;
  • Vulnerabilities in partner services and products that do not directly affect the security of the company's services.

Strictly prohibited actions:

  • DoS / DDoS attacks;
  • Threats/harm to company employees.

Report a Vulnerability

If you have information about a security issue or vulnerability in inDriver web services or mobile applications, please send an e-mail to   cybersecurity@indriver.com   following the rules mentioned below. Please provide as much information as possible.

Application format:

  1. Summary
  2. The type of vulnerability
  3. Steps to reproduce (Proof of Concept)
  4. Impact
  5. Testing environment
  6. Remediation steps

Vulnerability disclosure

Disclosure of vulnerabilities, including partial disclosure, to any third party other than the Company is not allowed without prior written consent of the inDriver Security Team.
Any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, users and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.