Carvana’s Responsible Disclosure Policy
Carvana’s code of ethics, foundation of trust, and its constant efforts to ensure that we are always acting prudently as a company is built upon the confidence that our customers place in us. As a result of these core values, the security of our online platforms - and the data housed within these platforms - is of paramount importance. If you are a security researcher and believe that you have discovered a security vulnerability involving Carvana services or sites, we encourage you to securely disclose it to us in a responsible manner, as directed by this Responsible Disclosure Policy (the “Policy”). Carvana will engage with security researchers when vulnerabilities are reported to us in accordance with this Policy. We will also validate and fix confirmed vulnerabilities affecting our services or sites in accordance with our commitment to security and privacy. We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Policy. Carvana reserves all legal rights in the event of any non-compliance with this Policy.
We encourage security researchers to share the details of any suspected vulnerabilities with the Carvana Information Security Team by submitting the form at the bottom of this page (the “Form”) as directed. Carvana will review each submission to determine if the finding: (a) is valid and (b) has not previously been reported. Carvana and this Policy require security researchers to include detailed information with steps for Carvana’s Information Security Team to reproduce the vulnerability in the Form in order for a security researcher to be considered for monetary compensation.
If you identify a novel and valid suspected security vulnerability in compliance with this Policy, Carvana commits to:
- Work with the security researcher(s) to understand and validate the suspected vulnerability; and
- Address any valid vulnerability or risk (as deemed necessary and/or appropriate by Carvana).
Noncompliance With this Policy
Public disclosure - by a security researcher or otherwise - of the details of any identified suspected vulnerability without express written consent from Carvana’s InfoSec Team will deem any Form submission under this Policy as noncompliant with this Policy.
The Form is not intended to be used by, and this Policy is not directed to:
- Employees of Carvana;
- Carvana’s subsidiaries, affiliates, or partners;
- Vendors currently working with or for Carvana or Carvana’s subsidiaries, affiliates, or partners; or
- Residents of countries on the United States Office of Foreign Assets Control’s (OFAC) Sanctions List.
In addition, to remain compliant with this Policy, security researcher(s) are prohibited from:
- Accessing, downloading, or modifying data residing in an account that does not belong to the security researcher(s);
- Executing or attempting to execute any “Denial of Service” or related attack against any Carvana system or service;
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software on or to any Carvana system or service;
- Testing any suspected vulnerability in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or any other form of unsolicited message;
- Testing any suspected vulnerability in a manner that would degrade or negatively impact the operation of any Carvana service or system; and/or
- Testing third-party applications, websites, or services that integrate with or link to any Carvana service or system.