Update

Please note that during the holiday season our responses may be slightly delayed. We thank you for your patience during this period.

HAPPY HOLIDAYS!

We Are Running a Promotion:

Hello Hackers,
It´s been three months since we started our Disclosure Program. To celebrate this small step in our activities, we are pleased to offer a promotion to help us even more to improve our security.

We will award different vouchers for free car rentals and swag bags for critical to medium vulnerabilities being found in our assets as being described in the scope of our program.. These goodies will be awarded on a first submit, first receive basis.

Please consider the terms and conditions.

Thank you for your continuous support and research

Happy Hacking!!

In short:
For all assets described in our program scope!

How will it work?

• First 5 x Critical vulnerabilities found: We will offer a voucher for a Medium Sized Vehicle for a full week
• First 5 x High vulnerabilities found: We will offer a voucher for a Medium Sized Vehicle for a weekend (Friday 12pm to Monday 6am)
• First 5 x Medium vulnerabilities found: We will offer a Swag Bag´s with some swag from our Sixt Tech Department

Conditions:

• Specific conditions for these vouchers will apply, mainly the restriction, that it can only be redeemed in one of the following countries:

Austria, Belgium, France, Germany, Italy, Luxemburg, Monaco, Netherlands, Spain, Switzerland, UK and USA

NB: The vouchers are personalized, cannot be sold and any extras or upsell has to be covered by the redeemer. The vouchers cannot be redeemed in cash.

Sixt GmbH & Co. Autovermietung KG looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Sixt GmbH & Co. Autovermietung KG will make a best effort to meet the following SLAs for hackers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

Sixt Program Terms

• Sixt provides mobility – car rental, car sharing and ride hailing. Our car rental service is available in over 100 countries in the world.
• While rental reservations can be done in multiple ways (web page, Sixt APP, indirect via travel agencies or booking portals), the Sixt APP is needed to use further online services like car sharing.
• The current scope of Sixt´s Vulnerability Bug Program is currently limited in the defined assets.
• We will constantly review our assets, so please come back and check for changes. Please review our out of scope section before submitting any report. However, if it’s not out of scope, and it’s impactful, it’s in scope. If you find something that would be impactful to our users and customers, we want to hear about it.

• The security and privacy of our customers is in our outmost interest.

• Your participation in our managed program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).

• Basic Rules

  • Customers data has to be respected
  • Don’t leave any system in a more vulnerable state than it is
  • No public exposure of a vulnerability on any other platform than here
  • You support us, we support you – however, if it sometimes takes a little longer to get a reaction, please be respectful in your communication

Processes

• Sixt allows customer to make reservations in different ways:
• Logged in, not logged in, via business partner interfaces or via sales agents. Digital Services like our products SixtShare (car-sharing) or Fastlane (Car Rental without engagement at the counter) need a detailed registration including ID documents and driver license due to ensurance reasons.
• Please register on our webpages with valid documents and your @wearehackerone.com email address and use this address on our (Stage and Production) environments in Web and APP.
• If you already have an account with Sixt, please do not use this for your vulnerability research.

What can happen during your activities:

• We put you our trust in you and believe, that you act in in good faith when investigating and reporting vulnerabilities to us. Acting in good faith means that you will play by HackerOne and our rules described in the scope.
• For our user´s privacy we have a special request: if you encounter personal data of other customers or Sixt employees during your activities please follow this procedure:
• Stop right there. Actions taken beyond this are not authorized.
• Report this immediately to our Programm Team so we can investigate.
• Do not save, copy, store, transfer, disclose, or otherwise retain any information.
• Work with us if we have any further requests.
• We value your time, feedback and knowhow. If you have made a good faith effort to abide by our and HackerOne´s Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Programs of HackerOne.
• If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Programm Team. We are there to help you.

Eligibility to Participate

To be eligible to participate in our program, you have to:

• Be at least 18 years of age if you test using a Sixt Account or register for an account.
• Not be employed by Sixt or any of its affiliates or an immediate family member of a person employed by Sixt or any of its affiliates.
• Not be a resident of, or make Submissions from, a country against which Germany has issued export sanctions or other trade restrictions.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Vulnerability Disclosure Program.
• Not be using duplicate HackerOne accounts. If
  • (i) you do not meet the eligibility requirements above
  • (ii) you breach any of these Program Terms or any other agreements you have with Sixt SE or its affiliates
  • (iii) we determine that your participation in the HackerOne Program could adversely impact us, our affiliates or any of our users, employees or agents, then we may remove you from the HackerOne Program and disqualify you from receiving any benefit of the relevant HackerOne Programs.

Submissions and Report Quality

• The quality of your report submission is critical to our response and reaction. The best reports provide enough actionable information to trace, verify and validate the issue without any follow up clarifying questions.
• Check the scope page before you begin writing your report to ensure the issue you are reporting is in scope for the program.
• Please ad general data like used URL/APP, timestamp, used user account

• Please describe the use case you intended to process

• Please describe the steps as detailed as possible in order for the triage team to reproduce your findings.

• Think through the attack scenario and exploitability of the vulnerability and provide as many clear details as possible for our team to reproduce the issue (include screenshots if possible).
• Please include your understanding of the security impact of the issue, the more detail you can provide, the better.
• In order to ease our research, please additionally provide timestamps of the activitiy, in order for us to easier find the corresponding actions in our logging.
• In some cases, it may not be possible to have all of the context on the impact of a bug. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
• Video only proof-of-concepts (PoCs) will not be considered.
• A vulnerability must be verifiable and reproducible for us to be considered in-scope.

Security Impact

Your reports are handled in different teams as they might impact different products, services and/or have varying threat levels (external and internal). Therefore, we would like to ask you to title your reports using the following categories:

• Data Exposure: the ability to access user data, employee data, or sensitive Sixt business data without having an authorized relationship with the victim or the company. Factors considered may include:
  • Number of impacted users
  • Sensitivity of data exposed
  • Scale of exposure
• Unauthorized Actions on Behalf of User: the ability to forge authenticated actions on behalf of a Victim. Factors considered may include:
  • Ability to modify data on behalf of another user
  • Severity of forged actions
  • Possibility of account takeover
  • Level of privilege/access obtained
  • Actions noticeable by victim
  • Initiate a reservation, request a ride or start a
• Unauthorized Actions on Behalf of Sixt: the ability to forge authenticated actions on behalf of Sixt. Factors considered may include:
  • Actions performed by the authenticated request
  • Level of privilege/access obtained
  • Service interruption
  • Requires brute forcing
• Monetary Impact: the ability to cause monetary impact to Sixt or Sixt users through a technical vulnerability. Factors considered may include:
  • Financial impact
  • Service interruption
  • Number of impacted users
  • Requires multiple accounts
• Social Engineering: the ability to carry out targeted and convincing phishing on Sixt users. (Important Note: active Social Engineering is out of scope and not sanctioned in our program) Factors considered may include:
  • Sensitivity of data exposed
  • Number of users impacted
  • Possibility of account takeover
  • Ability to control content
  • Existence of rate-limiting
• Physical Safety: the ability to bypass physical safety controls through a technical vulnerability -- the key aspect of these reports is that there exists a technical vulnerability in our services. Factors considered may include:
  • Potential to cause physical harm
  • Number of users potentially impacted

Out-of-Scope

• It is necessary to demonstrate a security impact for a report to be considered - general software bugs are not in scope for this program.
• Social Engineering
• Self-defined physical or social engineering attempts (this includes phishing attacks against Sixt employees)
• Send push notifications/SMS messages/emails without the ability to change content

• Entering a Sixt Station or Offices and high-jacking an unattended terminal or hardware

• Negligible security impact

• Reports that state that software is out of date/vulnerable without a proof-of-concept –
• Highly speculative reports about theoretical damage – nevertheless, a combination of attack vectors might be interesting for us
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue – Sixt is using those tools and provided these finding to HackerOne prior to the start of the program
• Running Reports with automated web vulnerability scanners that have not been validated
• We frequently receive scans results regarding SSL/TLS - save these bytes and the time to create a report
• If you want to prove that you can open ports, please provide us with a proof-of-concept demonstrating vulnerability – we will reach out to you.
• Please refrain from real Subdomain takeovers. Provide the payload and the vectors to achieve this, so we can check this.
• We know that we are not perfect – there is no benefit in providing best practice reminders
• Vulnerabilities that cannot be used to exploit other users or Sixt, for example the pasting of JavaScript in the browser console.
• Missing cookie flags on non-authentication cookies
• As for Cross-site Request Forgery (CSRF), please consider, that a report might be rejected due with minimal security implications for Sixt and our customers
• Reports that affect only outdated user agents or app versions -- we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE and the versions of our application that are currently in the app stores
• Issues that require physical access to a victim’s computer/device
• Please ignore Stack traces, path disclosure and directory listings
• Distributed denial of service attacks (DDOS)

Confidentiality

Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.

Rights and Licenses

• We may modify the Program Terms or cancel the Program at any time.
• By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.
• By making a Submission, you give us the right to use your Submission for any purpose.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Sixt GmbH & Co. Autovermietung KG and our users safe!