December 4, 2023

Driving forward with confidence: Smartcar's Vulnerability Disclosure Program puts you in control!

Erica Bickel

Content Marketing Manager

Our 2023 State of Connected Car Apps Report identified greater vehicle data privacy and consumer safety as key elements of growth for the mobility industry in the coming years. As part of Smartcar’s commitment to these efforts, we’ve established a comprehensive VDP, which ensures a proactive approach to finding and eliminating evolving security threats. Under this collaborative system, we aim to lead the charge in automotive data safety.

Smartcar’s Vulnerability Disclosure Program

VDPs, or Vulnerability Disclosure Programs, help companies identify flaws and vulnerabilities in their security systems before hackers exploit them. To do so, organizations invite so-called “ethical hackers” to test and simulate a cyber attack should one occur. These actions allow for proactive efforts to manage and continually update our computer networks and cyber defenses.

Smartcar details the in-scope target endpoints open for testing to provide ethical hackers and security researchers a framework to start with. Our submission form asks for the technical severity, vulnerability details, and express documentation of discovered “bugs,” as this helps Smartcar best triage and assign priority to discovered issues. If you think you’ve found a flaw in our security system, we invite you to report it here.

Our other on-hand security measures

Smartcar Connect is our user onboarding flow where user consent is collected in compliance with the OAuth2 authorization protocol and is SSL encrypted. Vehicle owners can review specific permissions requested by an app before providing consent for sharing access to those specific data points or actions. Smartcar’s End User Privacy Policy is embedded within the flow to ensure users know how their information is handled. Additionally, Smartcar allows customers to hyperlink their privacy policy into the flow as well.

Smartcar runs on industry-standard cloud infrastructure that establishes security best practices to prevent unauthorized access to our platform. All requests to Smartcar services must be encrypted using HTTPS, and all data stored on our platform is protected with Advanced Encryption Standard (AES) 256-bit encryption.

Smartcar is also compliant with Europe’s General Data Protection Regulation (GDPR), undergoes periodic Penetration Testing, and annually re-attests to SOC 2 Type 2 compliance. Our platform processes only the necessary data to serve our customers. With Smartcar, vehicle owners can revoke their consent at any time.

Connect with Smartcar

We encourage security researchers and our own Smartcar users to find these issues and bring them to our attention. By providing a safe medium of disclosure, we hope to encourage open, regular audits, and reiterate our commitment to data protection. To further secure and formalize these submissions, we utilize Bugcrowd, the leading crowdsourced security platform.

Visit our data security page to learn about the measures we take to ensure the safety of the Smartcar platform, or reach out to your Customer Success Manager for more information. If you’re evaluating Smartcar, you can contact our Sales team to request a copy of multiple reports as part of your vendor security and compliance process.

Everything you need to know about car APIs. Delivered monthly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.