Update
Please note that during the holiday season our responses may be slightly delayed. We thank you for your patience during this period.
HAPPY HOLIDAYS!
We Are Running a Promotion:
Hello Hackers,
It´s been three months since we started our Disclosure Program. To celebrate this small step in our activities, we are pleased to offer a promotion to help us even more to improve our security.
We will award different vouchers for free car rentals and swag bags for critical to medium vulnerabilities being found in our assets as being described in the scope of our program.. These goodies will be awarded on a first submit, first receive basis.
Please consider the terms and conditions.
Thank you for your continuous support and research
Happy Hacking!!
In short:
For all assets described in our program scope!
How will it work?
- First 5 x Critical vulnerabilities found: We will offer a voucher for a Medium Sized Vehicle for a full week
- First 5 x High vulnerabilities found: We will offer a voucher for a Medium Sized Vehicle for a weekend (Friday 12pm to Monday 6am)
- First 5 x Medium vulnerabilities found: We will offer a Swag Bag´s with some swag from our Sixt Tech Department
Conditions:
- Specific conditions for these vouchers will apply, mainly the restriction, that it can only be redeemed in one of the following countries:
Austria, Belgium, France, Germany, Italy, Luxemburg, Monaco, Netherlands, Spain, Switzerland, UK and USA
NB: The vouchers are personalized, cannot be sold and any extras or upsell has to be covered by the redeemer. The vouchers cannot be redeemed in cash.
Sixt GmbH & Co. Autovermietung KG looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Response Targets
Sixt GmbH & Co. Autovermietung KG will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response |
SLA in business days |
First Response |
2 days |
Time to Triage |
2 days |
Time to Resolution |
depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Sixt Program Terms
- Sixt provides mobility – car rental, car sharing and ride hailing. Our car rental service is available in over 100 countries in the world.
- While rental reservations can be done in multiple ways (web page, Sixt APP, indirect via travel agencies or booking portals), the Sixt APP is needed to use further online services like car sharing.
- The current scope of Sixt´s Vulnerability Bug Program is currently limited in the defined assets.
- We will constantly review our assets, so please come back and check for changes. Please review our out of scope section before submitting any report. However, if it’s not out of scope, and it’s impactful, it’s in scope. If you find something that would be impactful to our users and customers, we want to hear about it.
-
The security and privacy of our customers is in our outmost interest.
-
Your participation in our managed program is voluntary. By submitting a report or otherwise disclosing a vulnerability to us (making a “Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).
-
Basic Rules
- Customers data has to be respected
- Don’t leave any system in a more vulnerable state than it is
- No public exposure of a vulnerability on any other platform than here
- You support us, we support you – however, if it sometimes takes a little longer to get a reaction, please be respectful in your communication
Processes
- Sixt allows customer to make reservations in different ways:
- Logged in, not logged in, via business partner interfaces or via sales agents. Digital Services like our products SixtShare (car-sharing) or Fastlane (Car Rental without engagement at the counter) need a detailed registration including ID documents and driver license due to ensurance reasons.
- Please register on our webpages with valid documents and your @wearehackerone.com email address and use this address on our (Stage and Production) environments in Web and APP.
- If you already have an account with Sixt, please do not use this for your vulnerability research.
What can happen during your activities:
- We put you our trust in you and believe, that you act in in good faith when investigating and reporting vulnerabilities to us. Acting in good faith means that you will play by HackerOne and our rules described in the scope.
- For our user´s privacy we have a special request: if you encounter personal data of other customers or Sixt employees during your activities please follow this procedure:
- Stop right there. Actions taken beyond this are not authorized.
- Report this immediately to our Programm Team so we can investigate.
- Do not save, copy, store, transfer, disclose, or otherwise retain any information.
- Work with us if we have any further requests.
- We value your time, feedback and knowhow. If you have made a good faith effort to abide by our and HackerOne´s Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Programs of HackerOne.
- If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our Programm Team. We are there to help you.
Eligibility to Participate
To be eligible to participate in our program, you have to:
- Be at least 18 years of age if you test using a Sixt Account or register for an account.
- Not be employed by Sixt or any of its affiliates or an immediate family member of a person employed by Sixt or any of its affiliates.
- Not be a resident of, or make Submissions from, a country against which Germany has issued export sanctions or other trade restrictions.
- Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Vulnerability Disclosure Program.
- Not be using duplicate HackerOne accounts. If
- (i) you do not meet the eligibility requirements above
- (ii) you breach any of these Program Terms or any other agreements you have with Sixt SE or its affiliates
- (iii) we determine that your participation in the HackerOne Program could adversely impact us, our affiliates or any of our users, employees or agents, then we may remove you from the HackerOne Program and disqualify you from receiving any benefit of the relevant HackerOne Programs.
Submissions and Report Quality
Security Impact
Your reports are handled in different teams as they might impact different products, services and/or have varying threat levels (external and internal). Therefore, we would like to ask you to title your reports using the following categories:
- Data Exposure: the ability to access user data, employee data, or sensitive Sixt business data without having an authorized relationship with the victim or the company. Factors considered may include:
- Number of impacted users
- Sensitivity of data exposed
- Scale of exposure
- Unauthorized Actions on Behalf of User: the ability to forge authenticated actions on behalf of a Victim. Factors considered may include:
- Ability to modify data on behalf of another user
- Severity of forged actions
- Possibility of account takeover
- Level of privilege/access obtained
- Actions noticeable by victim
- Initiate a reservation, request a ride or start a
- Unauthorized Actions on Behalf of Sixt: the ability to forge authenticated actions on behalf of Sixt. Factors considered may include:
- Actions performed by the authenticated request
- Level of privilege/access obtained
- Service interruption
- Requires brute forcing
- Monetary Impact: the ability to cause monetary impact to Sixt or Sixt users through a technical vulnerability. Factors considered may include:
- Financial impact
- Service interruption
- Number of impacted users
- Requires multiple accounts
- Social Engineering: the ability to carry out targeted and convincing phishing on Sixt users. (Important Note: active Social Engineering is out of scope and not sanctioned in our program) Factors considered may include:
- Sensitivity of data exposed
- Number of users impacted
- Possibility of account takeover
- Ability to control content
- Existence of rate-limiting
- Physical Safety: the ability to bypass physical safety controls through a technical vulnerability -- the key aspect of these reports is that there exists a technical vulnerability in our services. Factors considered may include:
- Potential to cause physical harm
- Number of users potentially impacted
Out-of-Scope
Confidentiality
Any information you receive or collect about us, our affiliates or any of our users, employees or agents in connection with the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform. Please note, not all requests for public disclosure can be approved.
Rights and Licenses
- We may modify the Program Terms or cancel the Program at any time.
- By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission.
- By making a Submission, you give us the right to use your Submission for any purpose.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Sixt GmbH & Co. Autovermietung KG and our users safe!