Responsible disclosure policy
Responsible disclosure overview
At Geotab, we take security of our users’ data very seriously. If you have discovered or believe you have discovered potential security vulnerabilities in a Geotab Service, we encourage you to disclose your discovery to us as quickly as possible. All submissions must be in accordance with the Geotab Vulnerability Disclosure Program Policy.
We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire Geotab community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you or suspend or terminate your access to any Geotab Services, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. Geotab reserves all of its legal rights in the event of any noncompliance.
If you have a disclosure which is related to any Government data, please report it directly to us here.
We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire Geotab community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you or suspend or terminate your access to any Geotab Services, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. Geotab reserves all of its legal rights in the event of any noncompliance.
If you have a disclosure which is related to any Government data, please report it directly to us here.
Discovering security vulnerabilities
We encourage responsible security research on the Geotab services and products, including Webtask. We allow you to conduct vulnerability research and testing on the Geotab Services to which you have authorized access. In no event shall your research and testing involve:
• Physical attacks against Geotab employees, and/or offices.
• Social engineering of Geotab employees, customers, contractors, vendors, or service providers.
• Knowingly posting, transmitting, uploading, linking to, or sending any malware to or from Geotab-owned assets or systems.
• Pursuing vulnerabilities discovered on Geotab-owned assets or systems, which send unsolicited bulk messages (spam) or unauthorized messages.
• Any vulnerability obtained through the compromise of a Geotab customer, reseller or employee account.
• Being an individual on, or residing in any country on, any Canadian or U.S. sanctions lists.
• Submitting vulnerabilities that Geotab is unable to reproduce or acknowledge; for example anonymous submissions and submissions with insufficient information.
• Physical attacks against Geotab employees, and/or offices.
• Social engineering of Geotab employees, customers, contractors, vendors, or service providers.
• Knowingly posting, transmitting, uploading, linking to, or sending any malware to or from Geotab-owned assets or systems.
• Pursuing vulnerabilities discovered on Geotab-owned assets or systems, which send unsolicited bulk messages (spam) or unauthorized messages.
• Any vulnerability obtained through the compromise of a Geotab customer, reseller or employee account.
• Being an individual on, or residing in any country on, any Canadian or U.S. sanctions lists.
• Submitting vulnerabilities that Geotab is unable to reproduce or acknowledge; for example anonymous submissions and submissions with insufficient information.
Issues not to report
The following is a partial list of issues that we ask for you not to report, unless you believe there is an actual vulnerability:
• CSRF on forms that are available to anonymous users
• Disclosure of known public files or directories (e.g. robots.txt)
• Domain Name System Security Extensions (DNSSEC) configuration suggestions
• Banner disclosure on common/public services
• HTTP/HTTPS/SSL/TLS security header configuration suggestions
• Lack of Secure/HTTPOnly flags on non-sensitive cookies
• Logout Cross-Site Request Forgery (logout CSRF)
• Phishing or Social Engineering Techniques
• Presence of application or web browser 'autocomplete' or 'save password' functionality
• Sender Policy Framework (SPF) configuration suggestions
• CSRF on forms that are available to anonymous users
• Disclosure of known public files or directories (e.g. robots.txt)
• Domain Name System Security Extensions (DNSSEC) configuration suggestions
• Banner disclosure on common/public services
• HTTP/HTTPS/SSL/TLS security header configuration suggestions
• Lack of Secure/HTTPOnly flags on non-sensitive cookies
• Logout Cross-Site Request Forgery (logout CSRF)
• Phishing or Social Engineering Techniques
• Presence of application or web browser 'autocomplete' or 'save password' functionality
• Sender Policy Framework (SPF) configuration suggestions
Reporting security vulnerabilities
If you believe you have discovered a security vulnerability issue, please share the details with Geotab by filling the form below.
Geotab will acknowledge receipt of your report within 2 business days, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.
Email communication between you and Geotab, including without limitation, emails you send to Geotab reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to Geotab shall be considered non-proprietary. Geotab, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. Further, Geotab and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to Geotab for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting Geotab a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.
Geotab will acknowledge receipt of your report within 2 business days, provide you with an estimated timetable for resolution of the vulnerability, notify you when the vulnerability is fixed, and, with your permission, publicly acknowledge your responsible disclosure.
Email communication between you and Geotab, including without limitation, emails you send to Geotab reporting a potential security vulnerability, should not contain any of your proprietary information. The contents of all email communication you send to Geotab shall be considered non-proprietary. Geotab, or any of its affiliates, may use such communication or material for any purpose whatsoever, including, but not limited to, reproduction, disclosure, transmission, publication, broadcast, and further posting. Further, Geotab and its affiliates are free to use any ideas, concepts, know-how, or techniques contained in any communication or material you send to Geotab for any purpose whatsoever, including, but not limited to, fixing, developing, manufacturing, and marketing products. By submitting any information, you are granting Geotab a perpetual, royalty-free and irrevocable right and license to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, transfer and sell such information.
Past contributors
Find past contributors here.